-
Bug
-
Resolution: Fixed
-
P4
-
6
-
b57
-
x86
-
linux
FULL PRODUCT VERSION :
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux, OSX
A DESCRIPTION OF THE PROBLEM :
When using a Kerberos config file (via the 'java.security.krb5.conf' system property) that contains values between quotes, the quotes are part of the values.
For example:
[libdefaults]
default_realm = "THE.REALM"
...
If the realm is between double-quotes, Krb5LoginModule will look for name@"THE.REALM" instead of ###@###.###M, and thus fail.
Some tools, including the "Kerberos Ticket Viewer" in OSX generate such configuration files, with quotes (it's called /Library/Preferences/edu.mit.Kerberos on OSX, equivalent to /etc/krb5.conf on many Linux distributions). Admittedly, Java on OSX isn't necessarily Sun's problem, but tolerance to quotes in the MIT Kerberos configuration file would be good, regardless of the OS. The problem occurs with the Sun implementation on Linux (and with Apple Java SDK on OSX) when the configuration file uses values between quotes. Other tools such as MIT kinit (on Linux or OSX) seem unaffected by quotes.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use any example code from the tutorials that use a Kerberos configuration file, using the 'java.security.krb5.conf' system property.
The login configuration file should contain something that looks like this (perhaps with minor variations):
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
doNotPrompt=true
useKeyTab=true
keyTab=file.keytab
storeKey=true
principal="name";
};
Try to change your configuration file to include double-quotes, and perhaps activate the debugging options (-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The principal ###@###.###M should be loaded. Other tools such as MIT kinit (on Linux or OSX) seem unaffected by quotes.
ACTUAL -
The principal configured in the login file cannot be found.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Key for the principal name@"THE.REALM" not available in file.keytab
("THE.REALM", "name" and "file.keytab" should be replaced with the actual names used for testing)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Removing the quotes in the configuration file makes it work.
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux, OSX
A DESCRIPTION OF THE PROBLEM :
When using a Kerberos config file (via the 'java.security.krb5.conf' system property) that contains values between quotes, the quotes are part of the values.
For example:
[libdefaults]
default_realm = "THE.REALM"
...
If the realm is between double-quotes, Krb5LoginModule will look for name@"THE.REALM" instead of ###@###.###M, and thus fail.
Some tools, including the "Kerberos Ticket Viewer" in OSX generate such configuration files, with quotes (it's called /Library/Preferences/edu.mit.Kerberos on OSX, equivalent to /etc/krb5.conf on many Linux distributions). Admittedly, Java on OSX isn't necessarily Sun's problem, but tolerance to quotes in the MIT Kerberos configuration file would be good, regardless of the OS. The problem occurs with the Sun implementation on Linux (and with Apple Java SDK on OSX) when the configuration file uses values between quotes. Other tools such as MIT kinit (on Linux or OSX) seem unaffected by quotes.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use any example code from the tutorials that use a Kerberos configuration file, using the 'java.security.krb5.conf' system property.
The login configuration file should contain something that looks like this (perhaps with minor variations):
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
doNotPrompt=true
useKeyTab=true
keyTab=file.keytab
storeKey=true
principal="name";
};
Try to change your configuration file to include double-quotes, and perhaps activate the debugging options (-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true).
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The principal ###@###.###M should be loaded. Other tools such as MIT kinit (on Linux or OSX) seem unaffected by quotes.
ACTUAL -
The principal configured in the login file cannot be found.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Key for the principal name@"THE.REALM" not available in file.keytab
("THE.REALM", "name" and "file.keytab" should be replaced with the actual names used for testing)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Removing the quotes in the configuration file makes it work.