Problem can be reproduced using a minimal Example as follows:
# This is what we have:
user@host:~/work$ ls -al
total 20
drwxrwx--- 2 user user 4096 Feb 14 17:33 .
drwxr-xr-x 5 user user 4096 Feb 14 17:29 ..
-rw-rw---- 1 user user 942 Feb 14 17:29 KerberosDemo.java
-rw-rw---- 1 user user 101 Feb 13 13:13 jaas_cached.conf
-rw-rw---- 1 user user 276 Feb 13 13:24 jaas_keytab.conf
# now, this is what happens with OpenJDK 1.8.0_232
# principal name and client name all refer to <email address hidden> (in AD, this is the servicePrincipalName):
# while this is what we see with OpenJDK 1.8.0_242
# while for the cached ticket the results are the same, for the ticket gotten by JAAS the names differ!!!
# Note: $V9H200-TAD2F4IK2G09 is the sAMAccountName of the AD user with servicePrincipalName <email address hidden>
Problem can be reproduced using a minimal Example as follows:
# This is what we have:
user@host:~/work$ ls -al
total 20
drwxrwx--- 2 user user 4096 Feb 14 17:33 .
drwxr-xr-x 5 user user 4096 Feb 14 17:29 ..
-rw-rw---- 1 user user 942 Feb 14 17:29 KerberosDemo.java
-rw-rw---- 1 user user 101 Feb 13 13:13 jaas_cached.conf
-rw-rw---- 1 user user 276 Feb 13 13:24 jaas_keytab.conf
# it's a minimal example
user@host:~/work$ cat KerberosDemo.java auth.login. *; auth.Subject; auth.kerberos. KerberosTicket;
import javax.security.
import java.util.Iterator;
import java.util.Set;
import javax.security.
import javax.security.
public class KerberosDemo {
LoginContext loginContext = null;
loginContext = new LoginContext( "Demo") ;
catch (LoginException e) {
System. err.println( "login context creation failed: "+e.getMessage());
System. exit(1) ;
loginContext .login( );
catch (LoginException e) {
System. out.println( "authentication failed");
System. exit(1) ;
Subject subject = loginContext. getSubject( );
System. out.println( "Authenticated principal: " + subject. getPrincipals( )); getPrivateCrede ntials( );
Iterator iterator = credentials. iterator( );
KerberosTicke t kt = (KerberosTicket) iterator.next();
System. out.println( "Client name: " + kt.getClient());
public static void main (String[] args) {
try {
}
}
try {
}
}
Set credentials = subject.
}
}
# let's compile it
user@host:~/work$ javac KerberosDemo.java
# and use it either with a keytab (JAAS is getting the ticket) ...
user@host:~/work$ cat jaas_keytab.conf # use keytab! sun.security. auth.module. Krb5LoginModule required "/etc/security/ keytabs/ myprincipal. service. keytab" che=false ="serviceprinci pal"
Demo {
com.
useKeyTab=true
keyTab=
storeKey=true
useTicketCa
serviceName
<email address hidden>";
};
# ... or with a ticket gotten earlier by MIT Kerberos client (kinit)
user@host:~/work$ cat jaas_cached.conf # use cached! sun.security. auth.module. Krb5LoginModule required che=true;
Demo {
com.
useKeyTab=false
useTicketCa
};
# this is how the ticket was placed in the cache
user@host:~/work$ kinit -kt /etc/security/ keytabs/ myprincipal. service. keytab <email address hidden>
# now, this is what happens with OpenJDK 1.8.0_232 lName):
# principal name and client name all refer to <email address hidden> (in AD, this is the servicePrincipa
user@host:~/work$ java -version 8u232-b09- 0ubuntu1~ 18.04.1- b09) security. auth.login. config= jaas_keytab. conf KerberosDemo security. auth.login. config= jaas_cached. conf KerberosDemo
openjdk version "1.8.0_232"
OpenJDK Runtime Environment (build 1.8.0_232-
OpenJDK 64-Bit Server VM (build 25.232-b09, mixed mode)
user@host:~/work$ java -Djava.
Authenticated principal: [<email address hidden>]
Client name: <email address hidden>
user@host:~/work$ java -Djava.
Authenticated principal: [<email address hidden>]
Client name: <email address hidden>
# while this is what we see with OpenJDK 1.8.0_242 TAD2F4IK2G09 is the sAMAccountName of the AD user with servicePrincipa lName <email address hidden>
# while for the cached ticket the results are the same, for the ticket gotten by JAAS the names differ!!!
# Note: $V9H200-
user@host:~/work$ java -version 8u242-b08- 0ubuntu3~ 18.04-b08) security. auth.login. config= jaas_keytab. conf KerberosDemo security. auth.login. config= jaas_cached. conf KerberosDemo
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
user@host:~/work$ java -Djava.
Authenticated principal: [<email address hidden>]
Client name: $<email address hidden>
user@host:~/work$ java -Djava.
Authenticated principal: [<email address hidden>]
Client name: <email address hidden>