Bug 991170

Summary: java does not use correct kerberos credential cache (/tmp/krb5cc_uid vs /run/user/uid/krb5cc/tkt)
Product: [Fedora] Fedora Reporter: David Mansfield <bugzilla>
Component: java-1.7.0-openjdkAssignee: Elliott Baron <ebaron>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: ahughes, dbhole, jerboaa, jvanek, omajid, sgehwolf
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-28 15:15:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Mansfield 2013-08-01 18:56:20 UTC 
Description of problem:
In F18 (I think) the default cred. cache location changed, but this new location was put into KRB5CCNAME so that programs not updated to the new location would still function.

The setting of KRB5CCNAME was removed as per:

https://mail.gnome.org/archives/commits-list/2013-May/msg05519.html

However, java programs now use the wrong location (/tmp/krb5cc_uid).

Version-Release number of selected component (if applicable):
java version "1.7.0_25"
OpenJDK Runtime Environment (fedora-2.3.10.10.fc19-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

or 

gdm-3.8.3-2.fc19.x86_64

depending on your perspective.

How reproducible:
Always

Steps to Reproduce:
1.Use,e.g. SampleClient and SampleServer from JAAS 
2.
3.

Actual results:
Credential cache is not found at correct location.  Using "-Dsun.security.krb5.debug=true" one can see:

>>>KinitOptions cache name is /tmp/krb5cc_42001



Expected results:
Uses cache in the new "standard" location.

Additional info:
Sample programs available at:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/ClientServer.html

My JAAS config for client:
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required 
    useTicketCache=true
    ;
};

My JAAS config for server;
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required 
    debug=true 
    storeKey=true 
    useKeyTab=true 
    keyTab="/path/to/krb5.keytab" 
    principal="myservice/host.example.com"
    doNotPrompt=true
    isInitiator=false;
};
Comment 1 Elliott Baron 2013-08-13 22:49:34 UTC 
I have posted a fix to handle arbitrary credential cache locations:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-August/024230.html
Comment 2 Omair Majid 2013-08-13 22:57:15 UTC 
(In reply to Elliott Baron from comment #1)
> I have posted a fix to handle arbitrary credential cache locations:
> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-August/024230.html

Could you submit a fix to upstream jdk8 as well? It will be nice to have this fix in java-1.8.0-openjdk too.

Thanks!
Comment 3 Andrew John Hughes 2013-08-15 13:23:08 UTC 
http://icedtea.classpath.org/hg/icedtea7-forest/jdk/rev/3e4e1a4ef584
Comment 4 David Mansfield 2013-08-26 21:28:48 UTC 
Hi Andrew, 

Any chance to get a test build of this to verify?
Comment 5 Andrew John Hughes 2013-08-29 16:21:39 UTC 
I'll include it in the 2.4.2 update which should appear in Fedora soon (next week or so I hope).
Comment 6 David Mansfield 2013-09-09 13:29:48 UTC 
java-1.7.0-openjdk-1.7.0.60-2.4.2.0.fc19.x86_64 (currently updates-testing) confirmed to fix the bug.
Comment 7 Andrew John Hughes 2013-09-23 23:39:05 UTC 
Released: http://blog.fuseyism.com/index.php/2013/09/23/icedtea-2-4-2-released/