JDK-8158827 : kinit doesn't read forwardable & proxiable flags values from krb5.conf file
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 6,7,8
  • Priority: P2
  • Status: Closed
  • Resolution: Won't Fix
  • Submitted: 2016-06-06
  • Updated: 2017-08-15
  • Resolved: 2017-08-15
Related Reports
Relates :  
JDK-8075299 - Additional tests for krb5 settings
Relates :  
JDK-8044500 - Add kinit options and krb5.conf flags that allow users to obtain renewable tickets and specify ticket lifetimes
Description
While requesting ticket, kinit requests proxiable & forwardable flags only if those are provided as input parameters: kinit -f -p
But if -f & -p flags are not defined, forwardable & proxiable values are not taken from krb5.conf file.

It looks confusing. Because default_realm & [realms] are used in the way it is defined in this Specification:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
While other flags are skipped.
Comments
Close as will-not-fix for several reasons: 1. No customer request. Behavior change might confuse some. 2. Very easy workaround to add -f -r to the command line. 3. Command only available on Windows and IMHO mostly for test purpose. Real app either uses the cached credentials for Windows login or use JAAS to acquire a new credential.
15-08-2017