United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6793475 krb5.ini not found on some Windows
JDK-6793475 : krb5.ini not found on some Windows

Details
Type:
Bug
Submit Date:
2009-01-14
Status:
Resolved
Updated Date:
2010-11-04
Project Name:
JDK
Resolved Date:
2009-01-31
Component:
security-libs
OS:
windows_2008
Sub-Component:
org.ietf.jgss:krb5
CPU:
generic
Priority:
P4
Resolution:
Fixed
Affected Versions:
7
Fixed Versions:

Related Reports
Backport:

Sub Tasks

Description
We're now looking for the location of krb5.ini on Windows like this:

   len = GetWindowsDirectory(NULL, 0);
   TCHAR* path = new TCHAR(len);
   GetWindowsDirectory(path, len);
   // krb5.ini should be in path now

However, in some Windows Server 2008 SP1 installations, a strange behavior is observed:

   GetWindowsDirectory(NULL, 0) return 11, looks like length of "C:\Windows" + 1
   GetWindowsDirectory(path, 11) returns 12, and fills path with ""
   GetWindowsDirectory(longpath, 999) returns 20, and fills path with "C:\Users\Me\Windows"

The reason is unknown yet, but the result is Java looks for krb5.ini in "", and -- unfound.
This only happens in Windows 2008 (and Vista) when Terminal Services are installed.

                                    

Comments
EVALUATION

No regression test. Need a Windows 2008 with Terminal Services turn on, and a Kerberos config file in the Windows directory.
                                     
2009-01-14
EVALUATION

According to MSDN on GetWindowsDirectory(), the preferred way to call it is --

   TCHAR path[MAX_PATH+1];
   GetWindowsDirectory(path, MAX_PATH)

This code snippet works fine on the questionable Windows Server 2008.
                                     
2009-01-14
WORK AROUND

Place krb5.conf in $jre/lib/security, Java looks for this file at this location first.
                                     
2009-01-15
EVALUATION

Evaluating this bug brings out a question: what exactly is the Windows directory?

The common sense would be C:\Windows. However, MSDN says "The Windows directory is the directory where an application should store initialization and help files. If the user is running a shared version of the system, the Windows directory is guaranteed to be private for each user". Furthermore, "If the application is running in a Terminal Services environment, each user has a private Windows directory. There is also a shared Windows directory for the system. If the application is Terminal-Services-aware (has the IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE flag set in the image header), this function returns the path of the system Windows directory, just as the GetSystemWindowsDirectory function does. Otherwise, it retrieves the path of the private Windows directory for the user".

In the case of this bug, the Windows directory turns into "C:\Users\UserName\Windows".

The Kerberos 5 config file -- krb5.ini -- is a system-wide configuration that should have gone into the "real" Windows directory, which is the result of GetSystemWindowsDirectory.

For compatibility reasons, we would first search krb5.ini in GetWindowsDirectory(), and then, if not found, look for it in GetSystemWindowsDirectory(). After this fix, we can make sure the system-wide krb5.ini can always be reached. It would be picked up as the Kerberos 5 config file unless overrided by 1) java.security.krb5.conf, 2) $JRE/lib/security/krb5.conf, or 3) krb5.ini in the user-private Windows directory.

BTW, the MIT Kerberos implementation still uses GetWindowsDirectory but they have a registry item for leash32.exe.
                                     
2009-01-15
EVALUATION

http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9260d9bd0843
                                     
2009-01-19



Hardware and Software, Engineered to Work Together