OpenJDK krb5 ignore /etc/krb5.conf?
Mike Swingler
swingler at apple.com
Tue Jul 17 14:35:02 UTC 2012
On Jul 16, 2012, at 8:32 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> Ping again.
>
> On 07/05/2012 04:34 PM, Weijun Wang wrote:
>> Hi Scott
>>
>> On Mac since Lion, sun.security.krb5.Config tries to locate the config
>> info in this order:
>>
>> 1. java.security.krb5.conf system property
>> 2. ${jre}/lib/security/krb5.conf
>> 3. SCDynamicStoreConfig
>>
>> The main difference from other platforms is that it will not try config
>> files, say, /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf.
>>
>> On the other hand, even /usr/bin/kinit comes with Lion reads the config
>> file (if there is no SCDynamicStoreConfig setting).
>>
>> Is there a special reason for the current Java behavior? I do notice
>> that the Apple 6u33 already does this.
No special reason I can think of, beyond simply swapping the implementation to read from the SCDynamicStoreConfig. Java SE 6 had previously had been relying on the system to write out a /Library/Preferences/edu.mit.Kerberos file, but that went away with OS X 10.7, so we didn't see much point in reading the file, since little else on the system would be paying attention to it either for the purposes of SSO.
It seems perfectly reasonable that if there are no SCDynamicStoreConfig entries, falling back to reading the legacy config files may be a valid option. I'm actually somewhat surprised that they are consulted by kinit.
Regards,
Mike Swingler
Apple Inc.
More information about the security-dev
mailing list