RFR 8227437: S4U2proxy cannot continue because server's TGT cannot be found

Martin Balao mbalao at redhat.com
Tue Jul 16 00:47:36 UTC 2019


I'd like to propose the following fix for JDK-8227437 [1] (*):

 * http://cr.openjdk.java.net/~mbalao/webrevs/8227437/8227437.webrev.00/

JDK-8227437 bug appeared after the OpenJDK Kerberos client supported
RFC-6806 [2].

When requesting a TGT (ticket-granting-ticket), there may be client name
canonicalization and/or realm referrals. When requesting a TGS
(ticket-granting-service), there may be realm referrals. As a result,
the client or service names we use to request a ticket may be different
than those we get in the returned ticket. I.e.: we may use the subject
principal "subject at REALM-1.COM" as a client name to request a TGT and
get a ticket whose client name is "subject-canonical at REALM-2.COM".

Even though the ticket credentials belong to the subject, we are unable
to locate them based on the client or service names when there is a
change. In the previous example, we will use "subject at REALM-1.COM"
subject principal as a client name to find the ticket but the actual
ticket has a "subject-canonical at REALM-2.COM" client name.

To fix this problem, we now save the original client and service names
as "alias" fields in Credentials and KerberosTicket objects (if there is
a change). This allows to find subject credentials properly.

Note: client and service alias information is not populated (saved or
retrieved) across credentials caches: file-based-caches [3][4], Windows
native cache or macOS native cache. As a result, the client name must
match the subject principal for the credential to be found (see
Credentials::acquireTGTFromCache). If the credential is not found, a
request to the KDC may be issued.


 * ReferralsTest extended to cover this bug

 * Regression testing on jdk/sun/security/krb5 passed

 * Tested in my local Windows 2016 referrals environment

Look forward to your comments.


[1] - https://bugs.openjdk.java.net/browse/JDK-8227437
[2] - https://bugs.openjdk.java.net/browse/JDK-8215032
[3] - https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
[4] -

(*) - we have worked together with Max (@weijun) during the last week to
come up with this version.

More information about the security-dev mailing list