Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8250582

Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets

    XMLWordPrintable

Details

    Backports

      Description

        In JDK-8215032 ("Support Kerberos cross-realm referrals (RFC 6806)") we changed the Principal Name type to NT-SRV-HST when requesting TGS Kerberos tickets. This change can be seen in CredentialsUtil::acquireServiceCreds method (sun/security/krb5/internal/CredentialsUtil.java file), which used to contain the line "PrincipalName sname = new PrincipalName(service);" (implicitly meaning an NT-UNKNOWN Service Name Principal) and now creates an instance of PrincipalName with a PrincipalName.KRB_NT_SRV_HST constructor argument.

        Even though real-case failures were not noticed as a result of this change, and RFC-4120 - Section 6.2 [1] makes us think that there shouldn't be, we will revert the change to the previous state.

        A future enhancement would be to change CredentialsUtil::acquireServiceCreds method signature to receive the Principal Name type by parameter. Krb5Context class, as a method's caller, would need to send the proper value obtained from the Krb5Context::peerName instance.

        --
        [1] - https://tools.ietf.org/html/rfc4120#section-6.2

        Attachments

          Issue Links

            Activity

              People

                mbalao Martin Balao
                mbalao Martin Balao
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: