Testing use of krb5 and gssapi in PostgreSQL?

Michael Stahl mst at libreoffice.org
Wed Oct 16 08:49:39 UTC 2019


On 16.10.19 10:43, Michael Stahl wrote:
> On 16.10.19 08:46, Stephan Bergmann wrote:
>> On 14/10/2019 13:33, Lionel Élie Mamane wrote:
>>> On Mon, Oct 14, 2019 at 11:05:32AM +0200, Stephan Bergmann wrote:
>>>> The only use of WITH_KRB5 and WITH_GSSAPI in LO appears to be the 
>>>> PostgreSQL
>>>> support (see connectivity/Library_postgresql-sdbc-impl.mk and
>>>> external/postgresql/ExternalProject_postgresql.mk).  Is there some
>>>> documentation how to test whether the use of krb5 and gssapi in the
>>>> PostgreSQL support actually works?
>>>
>>> Try to connect to a PostgreSQL support with GSSAPI and Kerberos?
>>
>> For the record:  Found a PostgreSQL server inside RH that I could 
>> access with my RH Kerberos credentials.  What I tested was "File - New 
>> - Database", then on the wizard's first "Select database" page 
>> "Connect to an existing database: PostgreSQL", on the second 
>> "Connection settings" page specify "host=... port=5433 dbname=public 
>> sslmode=require", and on the third "Set up user authentication" page 
>> leave everything blank and click "Test Connection".  This worked with 
>> a local Linux LO build, announcing a successful test of the connection.
>>
>> For both the current LO 6.3.2 Flathub build against 
>> org.freedesktop.Sdk//18.08 (where krb5 is included in the runtime), as 
>> well as for a local LO 6.3.2 Flatpak build of 
>> <https://github.com/flathub/org.libreoffice.LibreOffice/pull/104> 
>> "Freedesktop19.08" (against org.freedesktop.Sdk//19.08, where krb5 is 
>> no longer included in the runtime, but where I bundle it with LO), it 
>> worked as follows:
>>
>> The test failed to access my Kerberos ticket from outside the Flatpak 
>> sandbox (the connection test reporting an error ending in "GSSAPI 
>> continuation error: No Kerberos credentials available (default cache: 
>> FILE:/tmp/krb5cc_1000)").  But it worked when I explicitly obtained a 
>> ticket inside the sandbox first (`flatpak run --command=bash 
>> org.libreoffice.LibreOffice`, then in the sandbox `kinit ... && 
>> /app/libreoffice/program/soffice`).
> 
> guess FILE and DIR credential cache won't work out of the box, err i 
> mean inside the (sand-)box, but there's another one the KEYRING which 
> stores it in the Linux kernel - i wonder if that is available inside the 
> sandbox?  might be a question for people who actually know something 
> about kerberos :)
> 
> https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
> 
> on the other hand it's a very obscure feature probably, maybe not worth 
> investing any effort in it...

oh, there's even another one specifically developed for containers now:

https://fedoraproject.org/wiki/Changes/KerberosKCMCache

wonder why it's not used in your case when it's claimed to be the 
default, did you install pre-Fedora27 and retain an older default?

got this here, but of course no kerberos server to test...
/etc/krb5.conf.d/kcm_default_ccache:    default_ccache_name = KCM:


More information about the LibreOffice mailing list