Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

BUG Report : 'krb5.ini' not found on Windows.

1,266 views
Skip to first unread message

Onkesh Bansal

unread,
May 17, 2011, 6:53:15 AM5/17/11
to kerb...@mit.edu
Hello,

Configuration>>

>>>Windows 2008 R2 (Service Pack 1) workstation.

I am having this problem on my machine and am not able to figure out
what is the root cause.

The scenario seems with Terminal Services installed on the system and
when the authentication has to be done via the LDAP over the local
network.


This BUG has been logged with ORACLE-JAVA at
http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already
provided with a work around.

My Query is:

1. What is the reason behind this bug. I need to know the root
cause for this.

2. What should be my steps (apart from the workaround provided
with the bug resolution) so as to prevent any future re-occurrences?
ie I need a fix.

3. Can it be related to the version changes of Kerberos or is it
because of Windows 2008?

Thanks & Regards,

Onkesh Bansal

Engineer-1 QA,

Quark Media House (P) Ltd.

oba...@quark.com

Jeffrey Altman

unread,
May 17, 2011, 2:43:35 PM5/17/11
to kerb...@mit.edu
Application specific configuration files do not belong in \WINDOWS.
The correct place for krb5.ini is \ProgramData\Kerberos\krb5.ini which
requires that the environment variable KRB5_CONFIG be set to refer to
that file.

I do not know whether or not Java will pay attention to the environment
variable.

Jeffrey Altman

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc

Douglas E. Engert

unread,
May 17, 2011, 3:06:05 PM5/17/11
to kerb...@mit.edu

On 5/17/2011 5:53 AM, Onkesh Bansal wrote:
> Hello,
>
>
>
> Configuration>>
>
>>>> Windows 2008 R2 (Service Pack 1) workstation.
>
>
>
> I am having this problem on my machine and am not able to figure out
> what is the root cause.
>
> The scenario seems with Terminal Services installed on the system and
> when the authentication has to be done via the LDAP over the local
> network.
>
>
> This BUG has been logged with ORACLE-JAVA at
> http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already
> provided with a work around.
>
> My Query is:
>
> 1. What is the reason behind this bug. I need to know the root
> cause for this.

This is not a Kerberos issue, but a Java issue of how Java finds a krb5.conf
or krb5.ini on the running system.
See:
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

As it says,
"If the system property java.security.krb5.conf is set, its value is assumed to
specify the path and file name."
So you can add to the comamnd like -Djava.security.krb5.conf=/path.to/krb5.conf

It says it then looks in
in <java-home>\lib\security so put it there.

After that it gets a little mushy.

>
> 2. What should be my steps (apart from the workaround provided
> with the bug resolution) so as to prevent any future re-occurrences?
> ie I need a fix.

They gave you a fix.

>
> 3. Can it be related to the version changes of Kerberos or is it
> because of Windows 2008?

Yes and no. Oracle/Java need to address this issue on every system they run
under, including 2008 with terminal server.

Note: Windows itself does not use a krb5.ini or krb5.conf, so the location
is based on where Oracle/java or some other Kerberos application expect it
to be.

>
>
>
> Thanks& Regards,


>
> Onkesh Bansal
>
> Engineer-1 QA,
>
> Quark Media House (P) Ltd.
>
> oba...@quark.com
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

Weijun Wang

unread,
May 17, 2011, 11:49:05 PM5/17/11
to jal...@secure-endpoints.com, kerb...@mit.edu

On 05/18/2011 02:43 AM, Jeffrey Altman wrote:
> Application specific configuration files do not belong in \WINDOWS.
> The correct place for krb5.ini is \ProgramData\Kerberos\krb5.ini which
> requires that the environment variable KRB5_CONFIG be set to refer to
> that file.
>
> I do not know whether or not Java will pay attention to the environment
> variable.

We are not reading this environment variable, will consider adding it.

So, the logic will be

1. If java system property java.security.krb5.conf set, use it
2. If KRB5_CONFIG set, use it
3. If $JRE/lib/security/krb5.conf exists, use it
4. If Windows:
a) If there is krb5.ini in GetWindowsDirectory, use it
b) If there is krb5.ini in GetSystemWindowsDirectory, use it
c) Use USERDNSDOMAIN and LOGONSERVER environment variables
5. If *nix:
a) If Solaris, try /etc/krb5/krb5.conf
b) Otherwise, try /etc/krb5.conf
c) Use DNS

Thanks
Weijun

>
> Jeffrey Altman


>
>
> On 5/17/2011 6:53 AM, Onkesh Bansal wrote:
>> Hello,
>>
>>
>>
>> Configuration>>
>>
>>>>> Windows 2008 R2 (Service Pack 1) workstation.
>>
>>
>>
>> I am having this problem on my machine and am not able to figure out
>> what is the root cause.
>>
>> The scenario seems with Terminal Services installed on the system and
>> when the authentication has to be done via the LDAP over the local
>> network.
>>
>>
>> This BUG has been logged with ORACLE-JAVA at
>> http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already
>> provided with a work around.
>>
>> My Query is:
>>
>> 1. What is the reason behind this bug. I need to know the root
>> cause for this.
>>

>> 2. What should be my steps (apart from the workaround provided
>> with the bug resolution) so as to prevent any future re-occurrences?
>> ie I need a fix.
>>

>> 3. Can it be related to the version changes of Kerberos or is it
>> because of Windows 2008?
>>
>>
>>

0 new messages