[PATCH] Handle alternative Kerberos credential cache locations
Weijun Wang
weijun.wang at oracle.com
Fri Sep 20 00:48:42 UTC 2013
Copying build-dev.
--Max
On 9/20/13 8:02 AM, Elliott Baron wrote:
> Hi,
>
> Kerberos 1.11 introduced a new configuration variable to override the
> default location of the credential cache at build time. Fedora 18 and up
> have used this new configuration variable to define an alternate default
> cache location (/run/user/$UID/krb5cc/tkt). This bug was initially
> reported against Fedora [1].
>
> On Linux and Solaris systems, FileCredentialsCache.getDefaultCacheName()
> defaults to the previously hard-coded location (/tmp/krb5cc_$UID). This
> location will be incorrect if Kerberos was built with an alternative
> credential cache location set. Since this credential cache location can
> be arbitrary, we need to query the Kerberos API for the correct
> location. This patch implements this query using a new JNI call, which
> adds a dependency on libkrb5 for Linux and Solaris systems. I have also
> included a test case which uses a stub library in place of the real JNI
> libkrb5 wrapper.
>
> The patch krb5-default-ccache should be applied to jdk8. This includes
> modifications to the build system in order to handle the dependency on
> libkrb5. These changes include querying pkg-config for the location of
> Kerberos includes and libraries, although there does not appear to be
> support for a libkrb5 pkg-config file just yet. An alternative program,
> krb5-config, operates similarly to pkg-config and prints the locations
> of the required libraries and includes. This program is included as part
> of Kerberos. This patch adds M4 macros to query krb5-config, and
> integrates these macros into libraries.m4. I have omitted
> generated-configure.sh for brevity.
>
> The second patch jdk-krb5-default-ccache-fix should be applied to
> jdk8/jdk. This includes the changes to FileCredentialsCache and the new
> native component, krb5ccache.c. The library generated from it is named
> libj2krb5. This patch includes krb5-config support in
> jdk_generic_profile.sh. This will allow users of the old build system
> (and JDK7) to automatically find the necessary includes and libraries
> for Kerberos. For the test component, the patch includes a Makefile to
> build the stub library. The test should be run using the provided
> run_tests.sh shell script.
>
> Thanks,
> Elliott
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=991170
More information about the security-dev
mailing list