JDK-7184815 : [macosx] Need to read Kerberos config in files
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: os_x
  • CPU: generic
  • Submitted: 2012-07-18
  • Updated: 2013-09-12
  • Resolved: 2012-09-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u40 b06Fixed 8Fixed
Related Reports
Relates :  
On Mac since Lion, sun.security.krb5.Config tries to locate the config info in this order:

1. java.security.krb5.conf system property
2. ${jre}/lib/security/krb5.conf
3. SCDynamicStoreConfig

The main difference from other platforms is that it will not try config files, say, /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf.

On the other hand, even /usr/bin/kinit comes with Lion reads the config file (if there is no SCDynamicStoreConfig setting).

It seems perfectly reasonable that if there are no SCDynamicStoreConfig entries, falling back to reading the legacy config files may be a valid option.

EVALUATION http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/9c586a733dc1

WORK AROUND Set java.security.krb5.conf system property to /etc/krb5.conf if you want to use that config.

EVALUATION No regression test is available because in order to verify the fix 1. changes to system config file (for example, /etc/krb5.conf) is needed. 2. the Mac part needs a Mac server setup with SCDynamicStoreConfig Please verify the fix by checking the output of sun.security.krb5.Config.getInstance().getDefaultRealm(). 1. When -Djava.security.krb5.realm=A is provided, it should be A 2. Otherwise, if on Mac Lion and SCDynamicStoreConfig has krb5 settings, it should be the value there (Read more in comments) 3. Otherwise, if system default krb5 setting (say, /etc/krb5.conf) is available, it should be the value there 4. Otherwise, an exception is thrown