Testing use of krb5 and gssapi in PostgreSQL?

Michael Stahl mst at libreoffice.org
Wed Oct 16 08:43:00 UTC 2019

On 16.10.19 08:46, Stephan Bergmann wrote:
> On 14/10/2019 13:33, Lionel Élie Mamane wrote:
>> On Mon, Oct 14, 2019 at 11:05:32AM +0200, Stephan Bergmann wrote:
>>> The only use of WITH_KRB5 and WITH_GSSAPI in LO appears to be the 
>>> PostgreSQL
>>> support (see connectivity/Library_postgresql-sdbc-impl.mk and
>>> external/postgresql/ExternalProject_postgresql.mk).  Is there some
>>> documentation how to test whether the use of krb5 and gssapi in the
>>> PostgreSQL support actually works?
>> Try to connect to a PostgreSQL support with GSSAPI and Kerberos?
> For the record:  Found a PostgreSQL server inside RH that I could access 
> with my RH Kerberos credentials.  What I tested was "File - New - 
> Database", then on the wizard's first "Select database" page "Connect to 
> an existing database: PostgreSQL", on the second "Connection settings" 
> page specify "host=... port=5433 dbname=public sslmode=require", and on 
> the third "Set up user authentication" page leave everything blank and 
> click "Test Connection".  This worked with a local Linux LO build, 
> announcing a successful test of the connection.
> For both the current LO 6.3.2 Flathub build against 
> org.freedesktop.Sdk//18.08 (where krb5 is included in the runtime), as 
> well as for a local LO 6.3.2 Flatpak build of 
> <https://github.com/flathub/org.libreoffice.LibreOffice/pull/104> 
> "Freedesktop19.08" (against org.freedesktop.Sdk//19.08, where krb5 is no 
> longer included in the runtime, but where I bundle it with LO), it 
> worked as follows:
> The test failed to access my Kerberos ticket from outside the Flatpak 
> sandbox (the connection test reporting an error ending in "GSSAPI 
> continuation error: No Kerberos credentials available (default cache: 
> FILE:/tmp/krb5cc_1000)").  But it worked when I explicitly obtained a 
> ticket inside the sandbox first (`flatpak run --command=bash 
> org.libreoffice.LibreOffice`, then in the sandbox `kinit ... && 
> /app/libreoffice/program/soffice`).

guess FILE and DIR credential cache won't work out of the box, err i 
mean inside the (sand-)box, but there's another one the KEYRING which 
stores it in the Linux kernel - i wonder if that is available inside the 
sandbox?  might be a question for people who actually know something 
about kerberos :)


on the other hand it's a very obscure feature probably, maybe not worth 
investing any effort in it...

More information about the LibreOffice mailing list