-
Bug
-
Resolution: Fixed
-
P4
-
11, 17, 22, 23
-
b08
-
generic
-
generic
ADDITIONAL SYSTEM INFORMATION :
RHEL 8 / JDK 22.0.1
A DESCRIPTION OF THE PROBLEM :
If udp_preference_limit is set to 0 in the Kerberos config the current Kerberos implementation [1] incorrectly tries UDP before falling back to TCP. The current krb5 config documentation states:
When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is
above udp_preference_limit. If the message is smaller than udp_preference_limit, then UDP will be tried
before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.
From this documentation it seems that setting udp_preference_limit to 0 should effectively disable UDP. This interpretation aligns with the sssd interpretation where udp_preference_limit is now being set to 0 to disable UDP. Unfortunately, this sssd Kerberos configuration now has the opposite effect in the JDK and causes it to first try UDP before falling back to TCP.
We first noticed this issue when we observed socket timeouts and ICMP unreachable (need to frag) errors during authentication from an RHEL 8, MTU 9000 machine to an MTU 1500 AD machine. The RHEL 8 box was picking up udp_preference_limit = 0 from /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults.
It should also be noted that attempting to ensure a Kerberos config like udp_preference_limit = 1 in the presence of other Kerberos config files (like sssd) is extremely fragile. The JVM Kerberos implementation will use the first value it encounters for a given key. In earlier versions of the JVM it will also load multiple configuration files in the same include directory in an arbitrary order [2].
[1] https://github.com/openjdk/jdk/blob/jdk-22%2B1/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java#L197
[2] https://bugs.openjdk.org/browse/JDK-8309356
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Set udp_preference_limit = 0 in krb5.conf
2) Establish a Kerberos session (-Djava.security.krb5.conf=krb5.conf -Dsun.security.krb5.debug=true)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
When udp_preference_limit = 0, UDP should not be used.
ACTUAL -
When udp_preference_limit = 0, UDP is always tried before TCP.
CUSTOMER SUBMITTED WORKAROUND :
Set udp_preference_limit = 1
FREQUENCY : always
RHEL 8 / JDK 22.0.1
A DESCRIPTION OF THE PROBLEM :
If udp_preference_limit is set to 0 in the Kerberos config the current Kerberos implementation [1] incorrectly tries UDP before falling back to TCP. The current krb5 config documentation states:
When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is
above udp_preference_limit. If the message is smaller than udp_preference_limit, then UDP will be tried
before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.
From this documentation it seems that setting udp_preference_limit to 0 should effectively disable UDP. This interpretation aligns with the sssd interpretation where udp_preference_limit is now being set to 0 to disable UDP. Unfortunately, this sssd Kerberos configuration now has the opposite effect in the JDK and causes it to first try UDP before falling back to TCP.
We first noticed this issue when we observed socket timeouts and ICMP unreachable (need to frag) errors during authentication from an RHEL 8, MTU 9000 machine to an MTU 1500 AD machine. The RHEL 8 box was picking up udp_preference_limit = 0 from /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults.
It should also be noted that attempting to ensure a Kerberos config like udp_preference_limit = 1 in the presence of other Kerberos config files (like sssd) is extremely fragile. The JVM Kerberos implementation will use the first value it encounters for a given key. In earlier versions of the JVM it will also load multiple configuration files in the same include directory in an arbitrary order [2].
[1] https://github.com/openjdk/jdk/blob/jdk-22%2B1/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java#L197
[2] https://bugs.openjdk.org/browse/JDK-8309356
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Set udp_preference_limit = 0 in krb5.conf
2) Establish a Kerberos session (-Djava.security.krb5.conf=krb5.conf -Dsun.security.krb5.debug=true)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
When udp_preference_limit = 0, UDP should not be used.
ACTUAL -
When udp_preference_limit = 0, UDP is always tried before TCP.
CUSTOMER SUBMITTED WORKAROUND :
Set udp_preference_limit = 1
FREQUENCY : always
- relates to
-
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk/c740e1e3
-
Review(master)
openjdk/jdk/19638