search

brunoenten / pgadmin4-snap

Snap for the pgadmin4 postgres management tool
Other
0 stars 0 forks source link

Fail to login with Kerberos authentication #3

Open larskanis opened 1 month ago

larskanis commented 1 month ago

Trying to login to a kerberos enabled PostgreSQL server fails with:

grafik

The ticket file /home/kanis/krb5cc is correct. The pgadmin4 should use it to authenticate.

I tried to change the permission from 

$ ls -l /home/kanis/krb5cc 
-rw------- 1 kanis domänen-benutzer 3744 Aug  9 15:00 /home/kanis/krb5cc

to

chmod go+rw /home/kanis/krb5cc 
kanis@c1385lx:~$ : ls -l /home/kanis/krb5cc 
-rw-rw-rw- 1 kanis domänen-benutzer 3744 Aug  9 15:00 /home/kanis/krb5cc

but the error keeps the same.

Authentication with psql for instance works:

$ psql -h comdb2 postgres
psql (16.3 (Ubuntu 16.3-0ubuntu0.24.04.1), server 14.4 (Ubuntu 14.4-1.pgdg18.04+1))
GSSAPI-encrypted connection
Type "help" for help.

postgres=#
brunoenten commented 1 month ago

It seems to be an issue with snaps and kerberos that still hasn't been resolved to this day:

https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1849346

There are a few workarounds but nothing satisfactory, especially since we're talking about security here.

I'll monitor the situation in update the snap accordingly.

Thanks for the reports!

larskanis commented 1 month ago

I already use the workaround that is mentioned in your ticket:

[libdefaults]
 default_ccache_name = FILE:/home/%{username}/krb5cc

And with this workaround usually snap packages can use kerberos authentication. But pgadmin4 snap fails.

However I found the following apparmor denials:

kernel: audit: type=1400 audit(1723453155.248:38510): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/etc/gss/mech.d/" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=0
kernel: audit: type=1400 audit(1723453155.249:38511): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.249:38512): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.296:38513): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.296:38514): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433
kernel: audit: type=1400 audit(1723453155.298:38515): apparmor="DENIED" operation="open" class="file" profile="snap.pgadmin4.pgadmin4" name="/home/kanis/krb5cc" pid=345587 comm="python3" requested_mask="r" denied_mask="r" fsuid=1126801433 ouid=1126801433