United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7184815 [macosx] Need to read Kerberos config in files
JDK-7184815 : [macosx] Need to read Kerberos config in files

Details
Type:
Bug
Submit Date:
2012-07-18
Status:
Closed
Updated Date:
2013-07-11
Project Name:
JDK
Resolved Date:
2012-09-01
Component:
security-libs
OS:
os_x
Sub-Component:
java.security
CPU:
generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
8
Fixed Versions:
7u40 (b06)

Related Reports
Backport:
Backport:
Relates:

Sub Tasks

Description
On Mac since Lion, sun.security.krb5.Config tries to locate the config info in this order:

1. java.security.krb5.conf system property
2. ${jre}/lib/security/krb5.conf
3. SCDynamicStoreConfig

The main difference from other platforms is that it will not try config files, say, /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf.

On the other hand, even /usr/bin/kinit comes with Lion reads the config file (if there is no SCDynamicStoreConfig setting).

It seems perfectly reasonable that if there are no SCDynamicStoreConfig entries, falling back to reading the legacy config files may be a valid option.

                                    

Comments
EVALUATION

No regression test is available because in order to verify the fix

1. changes to system config file (for example, /etc/krb5.conf) is needed.
2. the Mac part needs a Mac server setup with SCDynamicStoreConfig

Please verify the fix by checking the output of sun.security.krb5.Config.getInstance().getDefaultRealm().

1. When -Djava.security.krb5.realm=A is provided, it should be A
2. Otherwise, if on Mac Lion and SCDynamicStoreConfig has krb5 settings, it should be the value there (Read more in comments)
3. Otherwise, if system default krb5 setting (say, /etc/krb5.conf) is available, it should be the value there
4. Otherwise, an exception is thrown
                                     
2012-07-18
WORK AROUND

Set java.security.krb5.conf system property to /etc/krb5.conf if you want to use that config.
                                     
2012-07-20
I tried Test.java on the following configurations:
[1] SCDynamicStoreConfig has krb5 settings (sc22bk11.us.oracle.com)
[2] SCDynamicStoreConfig does not have krb5 settings, but /etc/krb5.conf is available. /etc/krb5.conf contains the following settings:

[libdefaults]
	default_realm = RU.ORACLE.COM

[realms]
	RU.ORACLE.COM = {
		kdc = asmotrakov.ru.oracle.com
		admin_server = asmotrakov.ru.oracle.com
	}

[domain_realm]
	.ru.oracle.com = RU.ORACLE.COM

[3]  SCDynamicStoreConfig does not have krb5 settings, but /etc/krb5.conf is not available

1. 7u4 b21, configuration [1]:
sc22bk11:artem gtee$ /net/koori.us.oracle.com/onestop/jdk/1.7.0_04/promoted/fcs/b21/binaries/macosx-x86_64/bin/java -Djava.security.krb5.kdc=localhost -Djava.security.krb5.realm=A Test
A
sc22bk11:artem gtee$ /net/koori.us.oracle.com/onestop/jdk/1.7.0_04/promoted/fcs/b21/binaries/macosx-x86_64/bin/java Test
SC22BK11.US.ORACLE.COM 

The behavior is correct.

2. 7u4 b21, configuration [2]:
stt-mac-01:test gtee$ /tmp/artem/jdk1.7.0_04b21/Contents/Home/bin/java -Djava.security.krb5.kdc=localhost -Djava.security.krb5.realm=A Test
2013-07-11 13:35:54.193 java[48360:1b03] Unable to load realm info from SCDynamicStore
A
stt-mac-01:test gtee$ ../jdk1.7.0_04b21/Contents/Home/bin/java Test
2013-07-11 13:36:00.570 java[48362:1b03] Unable to load realm info from SCDynamicStore
Exception in thread "main" KrbException: Cannot locate default realm
	at sun.security.krb5.Config.getDefaultRealm(Config.java:1151)
	at Test.main(Test.java:3)
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
	at sun.security.krb5.Config.getRealmFromDNS(Config.java:1247)
	at sun.security.krb5.Config.getDefaultRealm(Config.java:1132)
	... 1 more

The issue is reproducible.

3. 7u40 b32, configuration [1]:
sc22bk11:artem gtee$ /net/koori.us.oracle.com/onestop/jdk/1.7.0_40/promoted/ea/b32/binaries/macosx-amd64/bin/java -Djava.security.krb5.kdc=localhost -Djava.security.krb5.realm=A Test
A
sc22bk11:artem gtee$ /net/koori.us.oracle.com/onestop/jdk/1.7.0_40/promoted/ea/b32/binaries/macosx-amd64/bin/java Test
SC22BK11.US.ORACLE.COM

The behavior is correct.

4. 7u40 b32, configuration [2]:
2013-07-11 13:38:36.722 java[48453:1d03] Unable to load realm info from SCDynamicStore
A
stt-mac-01:test gtee$ /tmp/artem/jdk1.7.0_40b32/Contents/Home/bin/java Test
2013-07-11 13:38:43.487 java[48467:1d03] Unable to load realm info from SCDynamicStore
RU.ORACLE.COM

The behavior is correct.

5. 7u40, configuration [3]:
stt-mac-01:test gtee$ /tmp/artem/jdk1.7.0_40b32/Contents/Home/bin/java Test
2013-07-11 13:39:50.175 java[48513:1d03] Unable to load realm info from SCDynamicStore
Exception in thread "main" KrbException: Cannot locate default realm
	at sun.security.krb5.Config.getDefaultRealm(Config.java:1181)
	at Test.main(Test.java:3)
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
	at sun.security.krb5.Config.getRealmFromDNS(Config.java:1277)
	at sun.security.krb5.Config.getDefaultRealm(Config.java:1162)
	... 1 more

The behavior is correct.

So the fix looks good, I am closing the bug as verified.
                                     
2013-07-11
EVALUATION

http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/9c586a733dc1
                                     
2012-08-29



Hardware and Software, Engineered to Work Together