Re: Testing use of krb5 and gssapi in PostgreSQL?

On 16.10.19 10:43, Michael Stahl wrote:
> On 16.10.19 08:46, Stephan Bergmann wrote:
> > On 14/10/2019 13:33, Lionel Élie Mamane wrote:
> > > On Mon, Oct 14, 2019 at 11:05:32AM +0200, Stephan Bergmann wrote:
> > > > The only use of WITH_KRB5 and WITH_GSSAPI in LO appears to be the 
> > > > PostgreSQL
> > > > support (see connectivity/Library_postgresql-sdbc-impl.mk and
> > > > external/postgresql/ExternalProject_postgresql.mk).  Is there some
> > > > documentation how to test whether the use of krb5 and gssapi in the
> > > > PostgreSQL support actually works?
> > > Try to connect to a PostgreSQL support with GSSAPI and Kerberos?
> > For the record:  Found a PostgreSQL server inside RH that I could 
> > access with my RH Kerberos credentials.  What I tested was "File - New 
> > - Database", then on the wizard's first "Select database" page 
> > "Connect to an existing database: PostgreSQL", on the second 
> > "Connection settings" page specify "host=... port=5433 dbname=public 
> > sslmode=require", and on the third "Set up user authentication" page 
> > leave everything blank and click "Test Connection".  This worked with 
> > a local Linux LO build, announcing a successful test of the connection.
> > For both the current LO 6.3.2 Flathub build against 
> > org.freedesktop.Sdk//18.08 (where krb5 is included in the runtime), as 
> > well as for a local LO 6.3.2 Flatpak build of 
> > <https://github.com/flathub/org.libreoffice.LibreOffice/pull/104> 
> > "Freedesktop19.08" (against org.freedesktop.Sdk//19.08, where krb5 is 
> > no longer included in the runtime, but where I bundle it with LO), it 
> > worked as follows:
> > The test failed to access my Kerberos ticket from outside the Flatpak 
> > sandbox (the connection test reporting an error ending in "GSSAPI 
> > continuation error: No Kerberos credentials available (default cache: 
> > FILE:/tmp/krb5cc_1000)").  But it worked when I explicitly obtained a 
> > ticket inside the sandbox first (`flatpak run --command=bash 
> > org.libreoffice.LibreOffice`, then in the sandbox `kinit ... && 
> > /app/libreoffice/program/soffice`).
> guess FILE and DIR credential cache won't work out of the box, err i 
> mean inside the (sand-)box, but there's another one the KEYRING which 
> stores it in the Linux kernel - i wonder if that is available inside the 
> sandbox?  might be a question for people who actually know something 
> about kerberos :)
> https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
>
> on the other hand it's a very obscure feature probably, maybe not worth 
> investing any effort in it...
oh, there's even another one specifically developed for containers now:

https://fedoraproject.org/wiki/Changes/KerberosKCMCache

wonder why it's not used in your case when it's claimed to be the 
default, did you install pre-Fedora27 and retain an older default?
got this here, but of course no kerberos server to test...
/etc/krb5.conf.d/kcm_default_ccache:    default_ccache_name = KCM: