On Oct 22, 10:54am, weijun.w...@oracle.com (Weijun Wang) wrote:
-- Subject: Re: bug fix for native kerberos libraries
| I see. So it looks like the MS tool is calling JAAS. Is it asking you to
| prepare a JAAS login file like this?
|
| client {
| com.sun.security.auth.module.Krb5LoginModule required
| ...;
| };
|
| You can put a key-value pair ticketCache=ccache_file inside it where
| ccache_file is the KRB5CCNAME env variable. This would assign the value
| to ticketCacheName and your patch won't be needed.
The value of the environment variable is not constant, so I will
have to generate the login file at each program invocation which is
highly invonvenient. For example when ssh propagates the ticket file
from one host to another the filename changes (from /tmp/krb5cc_<uid>
to /tmp/krb5cc_uid_<random>).
| In fact, whatever credentials you specified here will not be used by the
| final GSS mech at all (since it's native). So maybe we can just trick
| the MS tool that a login is there but do nothing. Please try this (jdk7
| only)
|
| client {
| com.sun.security.auth.module.Krb5LoginModule required
| principal=nobody@NOWHERE
| useKeyTab=true
| isInitiator=false;
| };
|
| If this work, you don't need to call kinit and save a ccache file somewhere.
I think that this is a good idea. I will try it and see if it works. On
the other hand, it would be nice if the native and the non-native
implementation behaved the same way. Requiring such a file for one and
not the other is not the behavior expected by the user. I understand
that my patch is not clean and that this has been brought up before
(Bug ID: 6832353), but since this is not accessible anymore I don't know
what was the resolution of it.
Anyway thanks for the advise, I will try and get back to you.
christos
