Bug 991170

Summary: java does not use correct kerberos credential cache (/tmp/krb5cc_uid vs /run/user/uid/krb5cc/tkt)
Product: [Fedora] Fedora Reporter: David Mansfield <bugzilla>
Component: java-1.7.0-openjdkAssignee: Elliott Baron <ebaron>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: ahughes, dbhole, jerboaa, jvanek, omajid, sgehwolf
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-28 11:15:36 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Mansfield 2013-08-01 14:56:20 EDT
Description of problem:
In F18 (I think) the default cred. cache location changed, but this new location was put into KRB5CCNAME so that programs not updated to the new location would still function.

The setting of KRB5CCNAME was removed as per:


However, java programs now use the wrong location (/tmp/krb5cc_uid).

Version-Release number of selected component (if applicable):
java version "1.7.0_25"
OpenJDK Runtime Environment (fedora-
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)



depending on your perspective.

How reproducible:

Steps to Reproduce:
1.Use,e.g. SampleClient and SampleServer from JAAS 

Actual results:
Credential cache is not found at correct location.  Using "-Dsun.security.krb5.debug=true" one can see:

>>>KinitOptions cache name is /tmp/krb5cc_42001

Expected results:
Uses cache in the new "standard" location.

Additional info:
Sample programs available at:


My JAAS config for client:
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required 

My JAAS config for server;
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required 
Comment 1 Elliott Baron 2013-08-13 18:49:34 EDT
I have posted a fix to handle arbitrary credential cache locations:
Comment 2 Omair Majid 2013-08-13 18:57:15 EDT
(In reply to Elliott Baron from comment #1)
> I have posted a fix to handle arbitrary credential cache locations:
> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-August/024230.html

Could you submit a fix to upstream jdk8 as well? It will be nice to have this fix in java-1.8.0-openjdk too.

Comment 4 David Mansfield 2013-08-26 17:28:48 EDT
Hi Andrew, 

Any chance to get a test build of this to verify?
Comment 5 Andrew John Hughes 2013-08-29 12:21:39 EDT
I'll include it in the 2.4.2 update which should appear in Fedora soon (next week or so I hope).
Comment 6 David Mansfield 2013-09-09 09:29:48 EDT
java-1.7.0-openjdk- (currently updates-testing) confirmed to fix the bug.
Comment 7 Andrew John Hughes 2013-09-23 19:39:05 EDT
Released: http://blog.fuseyism.com/index.php/2013/09/23/icedtea-2-4-2-released/