I forgot to ask:
Your patch mentioned MEMORY: ccache. What is the full string? Is that
any document on it?
Thanks
Weijun
On 10/22/2012 11:29 AM, Weijun Wang wrote:
On 10/22/2012 11:10 AM, chris...@zoulas.com wrote:
On Oct 22, 10:54am, weijun.w...@oracle.com (Weijun Wang) wrote:
-- Subject: Re: bug fix for native kerberos libraries
| I see. So it looks like the MS tool is calling JAAS. Is it asking
you to
| prepare a JAAS login file like this?
|
| client {
| com.sun.security.auth.module.Krb5LoginModule required
| ...;
| };
|
| You can put a key-value pair ticketCache=ccache_file inside it where
| ccache_file is the KRB5CCNAME env variable. This would assign the value
| to ticketCacheName and your patch won't be needed.
The value of the environment variable is not constant, so I will
have to generate the login file at each program invocation which is
highly invonvenient. For example when ssh propagates the ticket file
from one host to another the filename changes (from /tmp/krb5cc_<uid>
to /tmp/krb5cc_uid_<random>).
I see.
| In fact, whatever credentials you specified here will not be used by
the
| final GSS mech at all (since it's native). So maybe we can just trick
| the MS tool that a login is there but do nothing. Please try this (jdk7
| only)
|
| client {
| com.sun.security.auth.module.Krb5LoginModule required
| principal=nobody@NOWHERE
| useKeyTab=true
| isInitiator=false;
| };
|
| If this work, you don't need to call kinit and save a ccache file
somewhere.
I think that this is a good idea. I will try it and see if it works. On
the other hand, it would be nice if the native and the non-native
implementation behaved the same way. Requiring such a file for one and
not the other is not the behavior expected by the user.
Well, the java krb5 and native krb5 mechs are so different that the
later needs no JAAS at all. So even if you make the config file looking
the same, it's still quite different inside.
I understand
that my patch is not clean and that this has been brought up before
(Bug ID: 6832353), but since this is not accessible anymore I don't know
what was the resolution of it.
Oh, I forgot about that bug. It was integrated into jdk 7.
Can you please add "-Dsun.security.krb5.debug=true" to your java command
line? It will show something like
>>>KinitOptions cache name is ...
If the cache name shows your KRB5CCNAME it should be picked up. I
haven't removed the FILE: prefix and maybe that is the problem. Since
you are already playing with OpenJDK sources, can you try adding the
prefix removing code around line 366 in the following file?
http://hg.openjdk.java.net/jdk8/tl/jdk/file/79b63e8eceda/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java
If that works, I'll happily apply the change to jdk 7 and 8.
Thanks
Weijun
Anyway thanks for the advise, I will try and get back to you.
christos
