Testing use of krb5 and gssapi in PostgreSQL?
Michael Stahl
mst at libreoffice.org
Wed Oct 16 08:49:39 UTC 2019
On 16.10.19 10:43, Michael Stahl wrote:
> On 16.10.19 08:46, Stephan Bergmann wrote:
>> On 14/10/2019 13:33, Lionel Élie Mamane wrote:
>>> On Mon, Oct 14, 2019 at 11:05:32AM +0200, Stephan Bergmann wrote:
>>>> The only use of WITH_KRB5 and WITH_GSSAPI in LO appears to be the
>>>> PostgreSQL
>>>> support (see connectivity/Library_postgresql-sdbc-impl.mk and
>>>> external/postgresql/ExternalProject_postgresql.mk). Is there some
>>>> documentation how to test whether the use of krb5 and gssapi in the
>>>> PostgreSQL support actually works?
>>>
>>> Try to connect to a PostgreSQL support with GSSAPI and Kerberos?
>>
>> For the record: Found a PostgreSQL server inside RH that I could
>> access with my RH Kerberos credentials. What I tested was "File - New
>> - Database", then on the wizard's first "Select database" page
>> "Connect to an existing database: PostgreSQL", on the second
>> "Connection settings" page specify "host=... port=5433 dbname=public
>> sslmode=require", and on the third "Set up user authentication" page
>> leave everything blank and click "Test Connection". This worked with
>> a local Linux LO build, announcing a successful test of the connection.
>>
>> For both the current LO 6.3.2 Flathub build against
>> org.freedesktop.Sdk//18.08 (where krb5 is included in the runtime), as
>> well as for a local LO 6.3.2 Flatpak build of
>> <https://github.com/flathub/org.libreoffice.LibreOffice/pull/104>
>> "Freedesktop19.08" (against org.freedesktop.Sdk//19.08, where krb5 is
>> no longer included in the runtime, but where I bundle it with LO), it
>> worked as follows:
>>
>> The test failed to access my Kerberos ticket from outside the Flatpak
>> sandbox (the connection test reporting an error ending in "GSSAPI
>> continuation error: No Kerberos credentials available (default cache:
>> FILE:/tmp/krb5cc_1000)"). But it worked when I explicitly obtained a
>> ticket inside the sandbox first (`flatpak run --command=bash
>> org.libreoffice.LibreOffice`, then in the sandbox `kinit ... &&
>> /app/libreoffice/program/soffice`).
>
> guess FILE and DIR credential cache won't work out of the box, err i
> mean inside the (sand-)box, but there's another one the KEYRING which
> stores it in the Linux kernel - i wonder if that is available inside the
> sandbox? might be a question for people who actually know something
> about kerberos :)
>
> https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
>
> on the other hand it's a very obscure feature probably, maybe not worth
> investing any effort in it...
oh, there's even another one specifically developed for containers now:
https://fedoraproject.org/wiki/Changes/KerberosKCMCache
wonder why it's not used in your case when it's claimed to be the
default, did you install pre-Fedora27 and retain an older default?
got this here, but of course no kerberos server to test...
/etc/krb5.conf.d/kcm_default_ccache: default_ccache_name = KCM:
More information about the LibreOffice
mailing list