On Fri, 24 Apr 2026 15:22:18 GMT, Kieran Farrell <[email protected]> wrote:
>> In DNS-based KDC discovery failures are exposed as generic 'KrbException: >> Cannot locate KDC / Unable to locate KDC for realm <REALM>' with no >> indication whether the underlying DNS SRV lookup failed due to NXDOMAIN, >> SERVFAIL, or a communication timeout. >> >> To improve supportability, this patch updates >> `KrbServiceLocator.getKerberosService(realm, protocol)` to rethrow the >> original JNDI NamingException from the SRV lookup and attach a sanitized >> failure category to the existing KrbException when both udp and tcp >> discovery attempts fail, while preserving the original top level exception >> message. `Config.getKDCFromDNS()` is updated to catch exception, sanitize it >> into the relevant category to prevent leaking any senistive information and >> attach it to the existing KrbException. >> >> >> --------- >> - [x] I confirm that I make this contribution in accordance with the >> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai). > > Kieran Farrell has updated the pull request incrementally with two additional > commits since the last revision: > > - update > - update to printstacktrace from config.java src/java.security.jgss/share/classes/sun/security/krb5/KrbServiceLocator.java line 59: > 57: public static final Debug DEBUG = Debug.of("krb5", > 58: System.getProperty("sun.security.krb5.debug")); > 59: Just do like the other classes: import static sun.security.krb5.internal.Krb5.DEBUG; src/java.security.jgss/share/classes/sun/security/krb5/KrbServiceLocator.java line 123: > 121: if (DEBUG) { > 122: e.printStackTrace(); > 123: } Still need to be `if (DEBUG != null) { e.printStackTrace(DEBUG.getPrintStream()); }`. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30824#discussion_r3138652069 PR Review Comment: https://git.openjdk.org/jdk/pull/30824#discussion_r3138662939
