Open larskanis opened 1 month ago
It seems to be an issue with snaps and kerberos that still hasn't been resolved to this day:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1849346
There are a few workarounds but nothing satisfactory, especially since we're talking about security here.
I'll monitor the situation in update the snap accordingly.
Thanks for the reports!
I already use the workaround that is mentioned in your ticket:
[libdefaults]
default_ccache_name = FILE:/home/%{username}/krb5cc
And with this workaround usually snap packages can use kerberos authentication. But pgadmin4 snap fails.
However I found the following apparmor denials:
kernel: audit: type=1400 audit(1723453155.248:38510): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/etc/gss/mech.d/" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=0
kernel: audit: type=1400 audit(1723453155.249:38511): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.249:38512): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.296:38513): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.296:38514): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.298:38515): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
Trying to login to a kerberos enabled PostgreSQL server fails with:
The ticket file
/home/kanis/krb5cc
is correct. The pgadmin4 should use it to authenticate.I tried to change the permission from
to
but the error keeps the same.
Authentication with psql for instance works: