On Fri, 19 Nov 2021 23:34:11 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> The S4U2proxy extension requires that the service ticket to the first >> service has the forwardable flag set, but some versions of Windows Server do >> not set the forwardable flag in a S4U2self response and accept it in a >> S4U2proxy request. >> >> There are 2 commits now. The 1st is a refactoring that sends more info into >> the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and >> `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` >> there is enough info to decide how to deal with various errors. The 2nd is >> the actual fix to this issue, i.e. ignore the flag and retry another KDC. > > src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java > line 64: > >> 62: PrincipalName sname = middleTGT.getClient(); >> 63: String uRealm = user.getRealmString(); >> 64: String localRealm = middleTGT.getClient().getRealmString(); > > nit: can just use sname on line 64? Sure. ------------- PR: https://git.openjdk.java.net/jdk/pull/6082