Date: prev next · Thread: first prev next last
2019 Archives by date, by thread · List index


On 16.10.19 10:43, Michael Stahl wrote:
On 16.10.19 08:46, Stephan Bergmann wrote:
On 14/10/2019 13:33, Lionel Élie Mamane wrote:
On Mon, Oct 14, 2019 at 11:05:32AM +0200, Stephan Bergmann wrote:
The only use of WITH_KRB5 and WITH_GSSAPI in LO appears to be the PostgreSQL
support (see connectivity/Library_postgresql-sdbc-impl.mk and
external/postgresql/ExternalProject_postgresql.mk).  Is there some
documentation how to test whether the use of krb5 and gssapi in the
PostgreSQL support actually works?

Try to connect to a PostgreSQL support with GSSAPI and Kerberos?

For the record:  Found a PostgreSQL server inside RH that I could access with my RH Kerberos credentials.  What I tested was "File - New - Database", then on the wizard's first "Select database" page "Connect to an existing database: PostgreSQL", on the second "Connection settings" page specify "host=... port=5433 dbname=public sslmode=require", and on the third "Set up user authentication" page leave everything blank and click "Test Connection".  This worked with a local Linux LO build, announcing a successful test of the connection.

For both the current LO 6.3.2 Flathub build against org.freedesktop.Sdk//18.08 (where krb5 is included in the runtime), as well as for a local LO 6.3.2 Flatpak build of <https://github.com/flathub/org.libreoffice.LibreOffice/pull/104> "Freedesktop19.08" (against org.freedesktop.Sdk//19.08, where krb5 is no longer included in the runtime, but where I bundle it with LO), it worked as follows:

The test failed to access my Kerberos ticket from outside the Flatpak sandbox (the connection test reporting an error ending in "GSSAPI continuation error: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)").  But it worked when I explicitly obtained a ticket inside the sandbox first (`flatpak run --command=bash org.libreoffice.LibreOffice`, then in the sandbox `kinit ... && /app/libreoffice/program/soffice`).

guess FILE and DIR credential cache won't work out of the box, err i mean inside the (sand-)box, but there's another one the KEYRING which stores it in the Linux kernel - i wonder if that is available inside the sandbox?  might be a question for people who actually know something about kerberos :)

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

on the other hand it's a very obscure feature probably, maybe not worth investing any effort in it...

oh, there's even another one specifically developed for containers now:

https://fedoraproject.org/wiki/Changes/KerberosKCMCache

wonder why it's not used in your case when it's claimed to be the default, did you install pre-Fedora27 and retain an older default?

got this here, but of course no kerberos server to test...
/etc/krb5.conf.d/kcm_default_ccache:    default_ccache_name = KCM:

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.