code review request: 7184815 (was Re: OpenJDK krb5 ignore /etc/krb5.conf?)

Weijun Wang at
Tue Jul 17 23:29:19 PDT 2012

7184815: [macosx] Need to read Kerberos config in files

Please take a review:

I break the config setting to Java setting and native setting, and 
insert the reading of SCDynamicStoreConfig between the two. This should 
preserve the 6u behavior and add a fallback to legacy config files.

No new regression test, because of SCDynamicStoreConfig and system 
config files, will ask SQE to create a manual test.


On 07/18/2012 08:26 AM, Weijun Wang wrote:
> I'm not familiar with how Mac does it, but normally there are two ways a
> Kerberos authentication is performed, through the initial login and
> through kinit. The former is integrated into the system (a pam module?)
> and I guess in this case the config is inside SCDynamicStoreConfig. For
> the latter, the Kerberos clients are regarded as standalone tools and a
> /etc/krb5.conf is needed.
> Java works in both ways, if there is already a credentials cache it will
> happily use it. On the other hand, it also includes the Krb5LoginModule
> that does all the login itself. Therefore, it should read both styles of
> config on a Mac.
> I've filed a new bug, It will appear soon at
> Thanks
> Max
> On 07/17/2012 10:35 PM, Mike Swingler wrote:
>> On Jul 16, 2012, at 8:32 PM, Weijun Wang < at> wrote:
>>> Ping again.
>>> On 07/05/2012 04:34 PM, Weijun Wang wrote:
>>>> Hi Scott
>>>> On Mac since Lion, tries to locate the config
>>>> info in this order:
>>>> 1. system property
>>>> 2. ${jre}/lib/security/krb5.conf
>>>> 3. SCDynamicStoreConfig
>>>> The main difference from other platforms is that it will not try config
>>>> files, say, /Library/Preferences/ or /etc/krb5.conf.
>>>> On the other hand, even /usr/bin/kinit comes with Lion reads the config
>>>> file (if there is no SCDynamicStoreConfig setting).
>>>> Is there a special reason for the current Java behavior? I do notice
>>>> that the Apple 6u33 already does this.
>> No special reason I can think of, beyond simply swapping the
>> implementation to read from the SCDynamicStoreConfig. Java SE 6 had
>> previously had been relying on the system to write out a
>> /Library/Preferences/ file, but that went away with OS
>> X 10.7, so we didn't see much point in reading the file, since little
>> else on the system would be paying attention to it either for the
>> purposes of SSO.
>> It seems perfectly reasonable that if there are no
>> SCDynamicStoreConfig entries, falling back to reading the legacy
>> config files may be a valid option. I'm actually somewhat surprised
>> that they are consulted by kinit.
>> Regards,
>> Mike Swingler
>> Apple Inc.

More information about the security-dev mailing list