Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1699235 - Firefox Flatpak unable to fetch saml login information
Summary: Firefox Flatpak unable to fetch saml login information
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Horak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-12 08:03 UTC by Parag Nemade
Modified: 2020-10-18 11:30 UTC (History)
15 users (show)

Fixed In Version: firefox-master-3220201001101641.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-05 01:14:54 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Parag Nemade 2019-04-12 08:03:00 UTC
Description of problem:
I installed firefox flatpak, killed existing firefox, ran flatpak, it gave me option to restore which I did, then the tabs which required to get saml login information failed to get it and asked me to login using username/passwd.

Version-Release number of selected component (if applicable):
[parag@f30 ~]$ flatpak info org.mozilla.Firefox stable 

Firefox - Browse the Web

          ID: org.mozilla.Firefox
         Ref: app/org.mozilla.Firefox/x86_64/stable
        Arch: x86_64
      Branch: stable
      Origin: fedora
  Collection: 
Installation: system
   Installed: 201.7 MB
     Runtime: org.fedoraproject.Platform/x86_64/f29
         Sdk: org.fedoraproject.Sdk/x86_64/f29

      Commit: 5ac207ed18979af9a6e60ce68514a87bb91de4093f4d32d6e9ae480590fbd966
     Subject: Export org.mozilla.Firefox
        Date: 2019-03-28 20:27:32 +0000
      Alt-id: ece033460d927e21d89db3ba48168e7f509bf3cf5f65eb58182af9ba49aefc67


How reproducible:
always

Steps to Reproduce:
1. Install flatpak firefox
2. Restore session
3. websites which was not asking username/passwd because I already had kerberos ticket, now start asking for it.
4) if I move back to rpm based firefox, those websites do not ask username/passwd.

Actual results:
saml not working

Expected results:
saml should work

Additional info:

Comment 1 Dusty Mabe 2019-11-06 03:29:58 UTC
I'm having this problem in the the latest firefox flatpak in Fedora. My base OS is Fedora 31 Silverblue.

$ flatpak --user info org.mozilla.Firefox

Firefox - Browse the Web

          ID: org.mozilla.Firefox
         Ref: app/org.mozilla.Firefox/x86_64/stable
        Arch: x86_64
      Branch: stable
      Origin: fedora
  Collection: 
Installation: user
   Installed: 369.0 MB
     Runtime: org.fedoraproject.Platform/x86_64/f30
         Sdk: org.fedoraproject.Sdk/x86_64/f30

      Commit: 19e5b7f8d1745f1456bb47525cdeeaebe284e9501d07ec787b3c822c54e3a772
     Subject: Export org.mozilla.Firefox
        Date: 2019-10-23 10:08:03 +0000
      Alt-id: 445138d3b3fbdf203c44481fe2f8be5a667d53a2a5336bd0182176dad5bde21e

Comment 2 Felipe Borges 2019-11-06 09:33:18 UTC
There are some holes to be poked in the Flatpak sandbox in order to get the kerberos ticket visible inside.

Since https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 has merged into the GNOME Platform runtime, you just need to allow your Flatpak to access /run/.heim_org.h5l.kcm-socket. For that, I just proposed https://src.fedoraproject.org/flatpaks/firefox/pull-request/1

Still, the Firefox Flatpak needs to be ported to a newer runtime that will include the changes inherited from the GNOME runtime. It will be likely present in org.fedoraproject.Platform//f31.

Comment 3 Dusty Mabe 2019-11-06 13:19:33 UTC
Thanks Felipe!

Do you happen to know when we'll move over to f31 as the base for the firefox flatpak ?

Comment 4 Dusty Mabe 2019-11-10 15:21:26 UTC
(In reply to Felipe Borges from comment #2)
> There are some holes to be poked in the Flatpak sandbox in order to get the
> kerberos ticket visible inside.
> 
> Since https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 has
> merged into the GNOME Platform runtime, you just need to allow your Flatpak
> to access /run/.heim_org.h5l.kcm-socket. For that, I just proposed
> https://src.fedoraproject.org/flatpaks/firefox/pull-request/1
> 
> Still, the Firefox Flatpak needs to be ported to a newer runtime that will
> include the changes inherited from the GNOME runtime. It will be likely
> present in org.fedoraproject.Platform//f31.


OK so I was able to workaround for now in the firefox flatpak (currently based
on Fedora 30) by doing two things:

- add --filesystem=/run/.heim_org.h5l.kcm-socket
- copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak
    - This file is owned by the sssd-kcm rpm
    - cp /etc/krb5.conf.d/kcm_default_ccache ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f30/active/files/etc/krb5.conf.d/

Felipe, does the changes in that gnome MR make it so that 2nd step is not needed?

I look in the flatpak runtime for f31 and there is no kcm_default_ccache file there.
Should we add the sssd-kcm to https://src.fedoraproject.org/modules/flatpak-runtime/tree/f31 ?

Comment 5 Debarshi Ray 2019-11-11 08:06:44 UTC
(In reply to Dusty Mabe from comment #4)
> OK so I was able to workaround for now in the firefox flatpak (currently
> based
> on Fedora 30) by doing two things:
> 
> - add --filesystem=/run/.heim_org.h5l.kcm-socket
> - copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the
> platform flatpak
>     - This file is owned by the sssd-kcm rpm
>     - cp /etc/krb5.conf.d/kcm_default_ccache
> ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f30/active/
> files/etc/krb5.conf.d/
> 
> Felipe, does the changes in that gnome MR make it so that 2nd step is not
> needed?

Yes, https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 adds a /etc/krb5.conf with the right text to the GNOME runtime.

> I look in the flatpak runtime for f31 and there is no kcm_default_ccache
> file there.

Is there a /etc/krb5.conf? The GNOME runtime doesn't use the /etc/krb.conf.d setup. Everything is in the /etc/krb5.conf file.

> Should we add the sssd-kcm to
> https://src.fedoraproject.org/modules/flatpak-runtime/tree/f31 ?

The sssd-kcm RPM also contains things other than just the configuration file. eg., /usr/libexec/sssd/sssd_kcm and friends. We should probably split the configuration file out because it can be useful for toolbox containers also.

Comment 6 Dusty Mabe 2019-11-21 14:02:59 UTC
(In reply to Debarshi Ray from comment #5)
> 
> Is there a /etc/krb5.conf? The GNOME runtime doesn't use the /etc/krb.conf.d
> setup. Everything is in the /etc/krb5.conf file.

Yes there is an /etc/krb5.conf.

Comment 7 Dusty Mabe 2019-12-16 17:29:16 UTC
OK - the firefox flatpak in Fedora has now moved to Fedora 31. I no longer need to add `--filesystem=/run/.heim_org.h5l.kcm-socket` because of https://src.fedoraproject.org/flatpaks/firefox/pull-request/1 . However I do still need to do:

- copy the /etc/krb5.conf.d/kcm_default_ccache file from the host into the platform flatpak
    - This file is owned by the sssd-kcm rpm
    - cp /etc/krb5.conf.d/kcm_default_ccache ~/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f31/active/files/etc/krb5.conf.d/



> Yes, https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389 adds a /etc/krb5.conf with the right text to the GNOME runtime.

When can we expect that change to land in the F31 org.fedoraproject.Platform ?

Comment 8 Dusty Mabe 2020-04-29 14:06:35 UTC
I still have this problem with the F32 org.fedoraproject.Platform. The krb5.conf file didn't change between F31->F32.

$ md5sum /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/{f31,f32}/active/files/etc/krb5.conf
c523bd80412c3f7aae8cfdcefd9a15d4  /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f31/active/files/etc/krb5.conf
c523bd80412c3f7aae8cfdcefd9a15d4  /home/dustymabe/.local/share/flatpak/runtime/org.fedoraproject.Platform/x86_64/f32/active/files/etc/krb5.conf

Comment 9 Dusty Mabe 2020-09-25 21:41:42 UTC
Still have this problem. The krb5.conf file did change recently but didn't change anything:

[dustymabe@media ~]$ md5sum /var/b/shared/krb5.conf /etc/krb5.conf
c523bd80412c3f7aae8cfdcefd9a15d4  /var/b/shared/krb5.conf
004cbdc2eadda9ee121af9f082f1af78  /etc/krb5.conf

[dustymabe@media ~]$ diff -u /var/b/shared/krb5.conf /etc/krb5.conf
--- /var/b/shared/krb5.conf	2020-09-25 17:33:52.825862130 -0400
+++ /etc/krb5.conf	2020-08-13 09:59:36.000000000 -0400
@@ -15,6 +15,8 @@
     rdns = false
     pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
     spake_preauth_groups = edwards25519
+    dns_canonicalize_hostname = fallback
+    qualify_shortname = ""
 #    default_realm = EXAMPLE.COM
     default_ccache_name = KEYRING:persistent:%{uid}
 

The workaround from https://bugzilla.redhat.com/show_bug.cgi?id=1699235#c7 still works.

Comment 10 Debarshi Ray 2020-09-29 13:33:18 UTC
Today I learnt that changes from the upstream org.gnome.Platform//3.34 runtime won't just automatically migrate to the Fedora runtimes. I am not sure how I got that implication, and given my lack of understanding of the tooling, I sort of assumed that it would be true.

My apologies and thanks for the constant poking!

I am talking to Kalev right now on finding a way to get the /etc/krb5.conf.d/kcm_default_ccache file into the Fedora runtime.

Comment 11 Debarshi Ray 2020-09-29 15:17:44 UTC
Here's a pull request to split the /etc/krb5.conf.d/kcm_default_ccache file out of the sssd-kcm sub-package into a separate sub-package that doesn't contain the entire implementation of a Kerberos KCM server:
https://src.fedoraproject.org/rpms/sssd/pull-request/6

This new configuration-only sub-package can then be pulled into the Fedora Flatpak runtimes.

Comment 12 Kalev Lember 2020-10-02 08:25:53 UTC
In the PR above, we got a suggestion to use KRB5CCNAME=KCM: env variable instead and that seems to work great. I went ahead and added it to firefox flatpak and doing a new build now.

https://src.fedoraproject.org/flatpaks/firefox/c/8e1915338fedca8ce4e362cd130716e942b87a07?branch=master

Comment 13 Fedora Update System 2020-10-02 08:30:43 UTC
FEDORA-FLATPAK-2020-33129f0e78 has been submitted as an update to Fedora 32 Flatpaks. https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2020-33129f0e78

Comment 14 Fedora Update System 2020-10-03 02:23:22 UTC
FEDORA-FLATPAK-2020-33129f0e78 has been pushed to the Fedora 32 Flatpaks testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2020-33129f0e78

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Fedora Update System 2020-10-05 01:14:54 UTC
FEDORA-FLATPAK-2020-33129f0e78 has been pushed to the Fedora 32 Flatpaks stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Dusty Mabe 2020-10-18 00:50:45 UTC
This seems to work for me. Thanks!

Comment 17 Kalev Lember 2020-10-18 11:30:39 UTC
You are welcome!


Note You need to log in before you can comment on or make changes to this bug.