bug fix for native kerberos libraries

Weijun Wang weijun.wang at oracle.com
Mon Oct 22 02:54:39 UTC 2012


I see. So it looks like the MS tool is calling JAAS. Is it asking you to 
prepare a JAAS login file like this?

    client {
       com.sun.security.auth.module.Krb5LoginModule required
       ...;
    };

You can put a key-value pair ticketCache=ccache_file inside it where 
ccache_file is the KRB5CCNAME env variable. This would assign the value 
to ticketCacheName and your patch won't be needed.

In fact, whatever credentials you specified here will not be used by the 
final GSS mech at all (since it's native). So maybe we can just trick 
the MS tool that a login is there but do nothing. Please try this (jdk7 
only)

    client {
       com.sun.security.auth.module.Krb5LoginModule required
       principal=nobody at NOWHERE
       useKeyTab=true
       isInitiator=false;
    };

If this work, you don't need to call kinit and save a ccache file somewhere.

-Weijun

On 10/22/2012 09:16 AM, christos at zoulas.com wrote:
> On Oct 22,  8:17am, weijun.wang at oracle.com (Weijun Wang) wrote:
> -- Subject: Re: bug fix for native kerberos libraries
>
> | You are still using JAAS? There is no need to call Krb5LoginModule or
> | read credentials cache yourself if you are using native kerberos. Just
> | call JGSS APIs directly.
> |
> | Thanks
> | Weijun
>
> I am not doing anything with kerberos/gssapi directly. I am just using
> the Microsoft sql server java driver (*), and it is doing all the calls.
> While it works fine with the java implementation, it does not work with
> the native MIT libraries, and needs that fix.
>
> Best,
>
> christos
>
> (*) http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774
>



More information about the security-dev mailing list