bug fix for native kerberos libraries
Weijun Wang
weijun.wang at oracle.com
Mon Oct 22 02:54:39 UTC 2012
I see. So it looks like the MS tool is calling JAAS. Is it asking you to
prepare a JAAS login file like this?
client {
com.sun.security.auth.module.Krb5LoginModule required
...;
};
You can put a key-value pair ticketCache=ccache_file inside it where
ccache_file is the KRB5CCNAME env variable. This would assign the value
to ticketCacheName and your patch won't be needed.
In fact, whatever credentials you specified here will not be used by the
final GSS mech at all (since it's native). So maybe we can just trick
the MS tool that a login is there but do nothing. Please try this (jdk7
only)
client {
com.sun.security.auth.module.Krb5LoginModule required
principal=nobody at NOWHERE
useKeyTab=true
isInitiator=false;
};
If this work, you don't need to call kinit and save a ccache file somewhere.
-Weijun
On 10/22/2012 09:16 AM, christos at zoulas.com wrote:
> On Oct 22, 8:17am, weijun.wang at oracle.com (Weijun Wang) wrote:
> -- Subject: Re: bug fix for native kerberos libraries
>
> | You are still using JAAS? There is no need to call Krb5LoginModule or
> | read credentials cache yourself if you are using native kerberos. Just
> | call JGSS APIs directly.
> |
> | Thanks
> | Weijun
>
> I am not doing anything with kerberos/gssapi directly. I am just using
> the Microsoft sql server java driver (*), and it is doing all the calls.
> While it works fine with the java implementation, it does not work with
> the native MIT libraries, and needs that fix.
>
> Best,
>
> christos
>
> (*) http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774
>
More information about the security-dev
mailing list