On Mon, 20 Apr 2026 11:00:30 GMT, Kieran Farrell <[email protected]> wrote:
> In DNS-based KDC discovery failures are exposed as generic 'KrbException: > Cannot locate KDC / Unable to locate KDC for realm <REALM>' with no > indication whether the underlying DNS SRV lookup failed due to NXDOMAIN, > SERVFAIL, or a communication timeout. > > To improve supportability, this patch updates > `KrbServiceLocator.getKerberosService(realm, protocol)` to rethrow the > original JNDI NamingException from the SRV lookup and attach a sanitized > failure category to the existing KrbException when both udp and tcp discovery > attempts fail, while preserving the original top level exception message. > `Config.getKDCFromDNS()` is updated to catch exception, sanitize it into the > relevant category to prevent leaking any senistive information and attach it > to the existing KrbException. > > > --------- > - [x] I confirm that I make this contribution in accordance with the [OpenJDK > Interim AI Policy](https://openjdk.org/legal/ai). src/java.security.jgss/share/classes/sun/security/krb5/Config.java line 1418: > 1416: > 1417: // add sanitized DNS discovery mode failure to exception > 1418: Exception last = (tcpNE != null) ? tcpNE : udpNE; Why ignore `udpNE` when `tcpNE` is not null? src/java.security.jgss/share/classes/sun/security/krb5/KrbServiceLocator.java line 190: > 188: } > 189: } catch (NamingException e) { > 190: throw e; Do you really want to include the reason in the final exception, or is printing out them when `-Dsun.security.krb5.debug=true` is set? test/jdk/sun/security/krb5/jaas.conf line 1: > 1: KrbLogin { Since you have multiple files for this test, better put them in a subdirectory. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30824#discussion_r3111520702 PR Review Comment: https://git.openjdk.org/jdk/pull/30824#discussion_r3111516853 PR Review Comment: https://git.openjdk.org/jdk/pull/30824#discussion_r3111524818
