Details
-
Enhancement
-
Resolution: Won't Fix
-
P4
-
None
-
8u172
Description
Since the KDC retrieval can be wrong ( See https://bugs.openjdk.java.net/browse/JDK-8208295), if the system is trying to query a wrong KDC, it will have to wait by default 3 retry of 30 seconds, see KdcComm.java :
defaultKdcTimeout = timeout > 0 ? timeout : 30*1000; // 30 seconds
defaultKdcRetryLimit =
max_retries > 0 ? max_retries : Krb5.KDC_RETRY_LIMIT;
Where KDC_RETRY_LIMIT = 3
In Config.java, you can easily specify a kdc list with "java.security.krb5.kdc" or a realm with "java.security.krb5.realm". However, nothing is possible for the kdc_timeout.
The only work-around right now is to manually produce a krb5.conf file, and give it to Java before any initialisation happen.
We should have a static API, or a System property (also I'm not too fond of that) in order to change these values easily without loading a krb5.conf file.
defaultKdcTimeout = timeout > 0 ? timeout : 30*1000; // 30 seconds
defaultKdcRetryLimit =
max_retries > 0 ? max_retries : Krb5.KDC_RETRY_LIMIT;
Where KDC_RETRY_LIMIT = 3
In Config.java, you can easily specify a kdc list with "java.security.krb5.kdc" or a realm with "java.security.krb5.realm". However, nothing is possible for the kdc_timeout.
The only work-around right now is to manually produce a krb5.conf file, and give it to Java before any initialisation happen.
We should have a static API, or a System property (also I'm not too fond of that) in order to change these values easily without loading a krb5.conf file.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
JDK-8208295 Improve KDC Service Locator on Windows
-
- Closed
-