Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8250582

Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets

    Details

      Backports

        Description

        In JDK-8215032 ("Support Kerberos cross-realm referrals (RFC 6806)") we changed the Principal Name type to NT-SRV-HST when requesting TGS Kerberos tickets. This change can be seen in CredentialsUtil::acquireServiceCreds method (sun/security/krb5/internal/CredentialsUtil.java file), which used to contain the line "PrincipalName sname = new PrincipalName(service);" (implicitly meaning an NT-UNKNOWN Service Name Principal) and now creates an instance of PrincipalName with a PrincipalName.KRB_NT_SRV_HST constructor argument.

        Even though real-case failures were not noticed as a result of this change, and RFC-4120 - Section 6.2 [1] makes us think that there shouldn't be, we will revert the change to the previous state.

        A future enhancement would be to change CredentialsUtil::acquireServiceCreds method signature to receive the Principal Name type by parameter. Krb5Context class, as a method's caller, would need to send the proper value obtained from the Krb5Context::peerName instance.

        --
        [1] - https://tools.ietf.org/html/rfc4120#section-6.2

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mbalao Martin Balao
                  Reporter:
                  mbalao Martin Balao
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: