System-file access for Remmina to allow Kerberos authentication

remmina_admin · February 4, 2026, 12:19pm

name: Remmina
description: GTK remote desktop client
snapcraft: https://gitlab.com/Remmina/Remmina/-/blob/master/snap/snapcraft.yaml
upstream: https://gitlab.com/Remmina/Remmina
upstream-relation: same person
interfaces:
- : system-files
  - request-type: auto-connection
  - reasoning: Allow read access to Kerberos config files and the profile directory. This is required for authentication using Kerberos

store-requests-bot · February 4, 2026, 12:19pm

This request has been added to the queue for review by the @reviewers team.

alexmurray · February 4, 2026, 10:34pm

Forgive my ignorance around kerberos, but snapd recently added the kerberos-tickets interface - whilst this is marked as experimental, firefox appears to be using it - I wonder if remmina could instead use this?

craig-rylance · February 4, 2026, 10:55pm

Unfortunately the kerberos-tickets interface only gives access to /tmp/krb5cc*. Remmina needs to read the kerberos config files, not just the tickets in /tmp. Adding this interface was my first attempt to get this working. Remmina still gave errors related to access to the kerberos configs, so I added the kerberos-config plug that uses the system-files interface to give read access to /etc/krb5.conf and /etc/krb5.conf.d.

The code for the kerberos-tickets plug can be read here to confirm this:

github.com/canonical/snapd

interfaces/builtin/kerberos_tickets.go

master

// -*- Mode: Go; indent-tabs-mode: t -*-

/*
 * Copyright (C) 2025 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

package builtin

This file has been truncated. show original

nteodosio · February 6, 2026, 10:23am

It is true that access to /etc/krb5.conf{,.d} is needed, but Remmina does connect the network interface, which provides access to those files. Did you observe otherwise?

% snap run --shell remmina -c 'tail -n+0 /etc/krb5.conf /etc/krb5.conf.d/*'
==> /etc/krb5.conf <==
#This is empty

==> /etc/krb5.conf.d/enable_sssd_conf_dir <==
# This file should normally be installed by your distribution into a
# directory that is included from the Kerberos configuration file (/etc/krb5.conf)
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/

craig-rylance · February 6, 2026, 5:08pm

This is the error I saw that suggested Remmina couldn’t read these files:

[ERROR][com.winpr.sspi.Kerberos] - [kerberos_AcquireCredentialsHandleA]: krb5_init_context (Included profile directory could not be read [-1429577696])

However, I do see that running a snap shell and reading those files results in success. I didn’t know the network interface gave access to these files, I assumed this was a snap confinement issue but it seems to be a configuration/environment variable issue instead.

craig-rylance · February 6, 2026, 6:59pm

Doing more troubleshooting here, the following line in /etc/krb5.conf.d/enable_sssd_conf_dir seems to be causing Kerberos to bail out:

includedir /var/lib/sss/pubconf/krb5.include.d/

There is no access to this directory inside snap confinement:

% snap run --shell remmina -c 'ls /var/lib/sss/pubconf/krb5.include.d/'
ls: cannot access '/var/lib/sss/pubconf/krb5.include.d/': No such file or directory

Would revising the snapcraft.yaml to remove the kerberos configs (since they are already included in the network interface) and include system-files access to this specific directory be an acceptable change?

nteodosio · February 9, 2026, 8:54am

Yeah it is a known issue (check the summary report Alex linked); The fix was just merged in Apparmor.

craig-rylance · February 13, 2026, 11:34pm

Thanks for the info. I’ve submitted a MR to revert this kerberos-config commit and I’m working to get the AppArmor MR backported to Noble. You can close this interface request.