I'm working with a custom build of the SignalFx Synthetics Agent, which uses Puppeteer and Google Chrome. Previously, Kerberos authentication worked fine with the following setup:
krb5-user and krb5-pkinit/etc/opt/chrome/policies/managed/kinit just before launching the agentThis setup allowed Chrome to authenticate via Kerberos without issues.
However, after upgrading the container, the setup was split across two user accounts:
original account is executing browser for tasks with sudo.
Since this change, Chrome appears to ignore the custom policies and fails to use Kerberos authentication.
The last semi-successful workaround I tried was:
Renaming the Chrome binary:
mv /opt/google/chrome/google-chrome /opt/google/chrome/google-chrome.exe
Creating a wrapper script at /opt/google/chrome/google-chrome that:
I confirmed via debug output that the Kerberos ticket is valid and present. However, Chrome still doesn't seem to recognize or use it.
How can I force Chrome to respect the custom policies and successfully use Kerberos authentication in this multi-user container setup?
So I finally figured it out.
with enabling logs for Chrome I've got Unable to create AuthHandler. Status: net::ERR_UNSUPPORTED_AUTH_SCHEME Challenge: Negotiate error, which allowed me to find this: https://issues.chromium.org/issues/40936572
and after several tries this looks like working solution:
echo '{"net":{"received_http_auth_negotiate_headers": true}}' > ~/.config/google-chrome/Local\ State
FLAGS=$(echo "$@" | sed -E 's#--user-data-dir=[^ ]*##g')
/opt/google/chrome/google-chrome.exe $FLAGS