I'm not familiar with how Mac does it, but normally there are two ways a
Kerberos authentication is performed, through the initial login and
through kinit. The former is integrated into the system (a pam module?)
and I guess in this case the config is inside SCDynamicStoreConfig. For
the latter, the Kerberos clients are regarded as standalone tools and a
/etc/krb5.conf is needed.
Java works in both ways, if there is already a credentials cache it will
happily use it. On the other hand, it also includes the Krb5LoginModule
that does all the login itself. Therefore, it should read both styles of
config on a Mac.
I've filed a new bug, It will appear soon at
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7184815
Thanks
Max
On 07/17/2012 10:35 PM, Mike Swingler wrote:
On Jul 16, 2012, at 8:32 PM, Weijun Wang <[email protected]> wrote:
Ping again.
On 07/05/2012 04:34 PM, Weijun Wang wrote:
Hi Scott
On Mac since Lion, sun.security.krb5.Config tries to locate the config
info in this order:
1. java.security.krb5.conf system property
2. ${jre}/lib/security/krb5.conf
3. SCDynamicStoreConfig
The main difference from other platforms is that it will not try config
files, say, /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf.
On the other hand, even /usr/bin/kinit comes with Lion reads the config
file (if there is no SCDynamicStoreConfig setting).
Is there a special reason for the current Java behavior? I do notice
that the Apple 6u33 already does this.
No special reason I can think of, beyond simply swapping the implementation to
read from the SCDynamicStoreConfig. Java SE 6 had previously had been relying
on the system to write out a /Library/Preferences/edu.mit.Kerberos file, but
that went away with OS X 10.7, so we didn't see much point in reading the file,
since little else on the system would be paying attention to it either for the
purposes of SSO.
It seems perfectly reasonable that if there are no SCDynamicStoreConfig
entries, falling back to reading the legacy config files may be a valid option.
I'm actually somewhat surprised that they are consulted by kinit.
Regards,
Mike Swingler
Apple Inc.
