Bug 991170 - java does not use correct kerberos credential cache (/tmp/krb5cc_uid vs /run/user/uid/krb5cc/tkt)
Summary: java does not use correct kerberos credential cache (/tmp/krb5cc_uid vs /run/...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: java-1.7.0-openjdk
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Elliott Baron
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-01 18:56 UTC by David Mansfield
Modified: 2013-09-28 15:15 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-09-28 15:15:36 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description David Mansfield 2013-08-01 18:56:20 UTC 
Description of problem:
In F18 (I think) the default cred. cache location changed, but this new location was put into KRB5CCNAME so that programs not updated to the new location would still function.

The setting of KRB5CCNAME was removed as per:

https://mail.gnome.org/archives/commits-list/2013-May/msg05519.html

However, java programs now use the wrong location (/tmp/krb5cc_uid).

Version-Release number of selected component (if applicable):
java version "1.7.0_25"
OpenJDK Runtime Environment (fedora-2.3.10.10.fc19-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

or 

gdm-3.8.3-2.fc19.x86_64

depending on your perspective.

How reproducible:
Always

Steps to Reproduce:
1.Use,e.g. SampleClient and SampleServer from JAAS 
2.
3.

Actual results:
Credential cache is not found at correct location.  Using "-Dsun.security.krb5.debug=true" one can see:

>>>KinitOptions cache name is /tmp/krb5cc_42001



Expected results:
Uses cache in the new "standard" location.

Additional info:
Sample programs available at:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/ClientServer.html

My JAAS config for client:
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required 
    useTicketCache=true
    ;
};

My JAAS config for server;
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required 
    debug=true 
    storeKey=true 
    useKeyTab=true 
    keyTab="/path/to/krb5.keytab" 
    principal="myservice/host.example.com"
    doNotPrompt=true
    isInitiator=false;
};
Comment 1 Elliott Baron 2013-08-13 22:49:34 UTC 
I have posted a fix to handle arbitrary credential cache locations:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-August/024230.html
Comment 2 Omair Majid 2013-08-13 22:57:15 UTC 
(In reply to Elliott Baron from comment #1)
> I have posted a fix to handle arbitrary credential cache locations:
> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-August/024230.html

Could you submit a fix to upstream jdk8 as well? It will be nice to have this fix in java-1.8.0-openjdk too.

Thanks!
Comment 3 Andrew John Hughes 2013-08-15 13:23:08 UTC 
http://icedtea.classpath.org/hg/icedtea7-forest/jdk/rev/3e4e1a4ef584
Comment 4 David Mansfield 2013-08-26 21:28:48 UTC 
Hi Andrew, 

Any chance to get a test build of this to verify?
Comment 5 Andrew John Hughes 2013-08-29 16:21:39 UTC 
I'll include it in the 2.4.2 update which should appear in Fedora soon (next week or so I hope).
Comment 6 David Mansfield 2013-09-09 13:29:48 UTC 
java-1.7.0-openjdk-1.7.0.60-2.4.2.0.fc19.x86_64 (currently updates-testing) confirmed to fix the bug.
Comment 7 Andrew John Hughes 2013-09-23 23:39:05 UTC 
Released: http://blog.fuseyism.com/index.php/2013/09/23/icedtea-2-4-2-released/
Note You need to log in before you can comment on or make changes to this bug.