[security-dev 00103]: How to get the default Kerberos realm?

[Max (Weijun) Wang]

Hi All

Currently, the JDK works like this (in sun.security.krb5.Config):

1. If the java.security.krb5.kdc system property is set, return it
2. If [libdefaults] default_realm exists in krb5.conf, return it
3. Using DNS (if allowed)
    a. Find the full qualified host name of the localhost
    b. Find its longest rightmost match in [domain_realm] in  
krb5.conf, or return null
    c. Try to locate this match in DNS using the entry  
_kerberos.THE.LONGEST.MATCH, or shorter, say, _kerberos.LONGEST.MATCH  
etc, until a record is found, or return null
    d. If the record's TXT value include THE.MATCH, return it, or  
return null

It seems b,c in 3 is merely a confirmation of a, which means both  
domain_realm mappings and DNS must agree on the value of the realm. I  
think this AND rule should be changed into an OR rule. Also, the DNS  
search should not be based on realm name, but domain name, which is  
how DNS normally works.

Thus, I'd like to split 3 to two parts:

3'. Using domain_realm
    a. Find the full qualified host name of the localhost F.Q.H.N
    b. Find its longest rightmost match in [domain_realm] in  
krb5.conf, return it
4'. Using DNS (if allowed)
    a. Try to locate it in DNS using the entry _kerberos.F.Q.H.N, or  
shorter, say, _kerberos.Q.H.N etc, until a record is found
    b. return the record's TXT value (wish there's only one)

Also, if a local credential cache (either krbccc_XXX file or LSA)  
already includes an initial TGT, it should be used directly. Thus,  
I'd like to add between 2 and 3 a new rule between 2 and 3:

2'. If a credential cache already includes an initial TGT, return the  
issuer's realm.

This is useful because the machine and the logon user can be  
registered in different domain. For the sake of SSO, kerberos  
settings would better follow the user, not the machine.

So my suggestion is 1 - 2 - 2' - 3' - 4'.

Any ideas?

Thanks
Max