something is going wrong with multiple keytab based auths in the same
JVM. ugh. further
digging elsewhere is necessary
Not that familiar with this but with the knowledge gained from 5
minutes googling.
Have you tried setting the debug options to true?
yes, that is how I produced the stuff I posted around 1:25 today.
looks like:
Debug is true storeKey false useTicketCache true useKeyTab true
doNotPrompt true ticketCache is /tmp/sakai_tcache.txt KeyTab is
/etc/leland/keytab.coursework refreshKrb5Config is false principal is
****/****@stanford.edu tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
Acquire TGT from Cache
Principal is *****/*****@stanford.edu
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): stanford.edu
>>> KeyTabInputStream, readName(): ******
>>> KeyTabInputStream, readName(): *******
hmm? how's that for properly elided. trust me they match. :)
So it does show useful stuff; sometimes I hard code it into the JAAS
file's definition
for the type of connection.
I'm not sure how useful some of this is, but might just come up with
something interesting.
hey, tho, I am still wondering just where the cache is kept. :)
I'm not looking for a tutorial or anything but from my quick browse it
appeared the keytab file is for server use, while the the ticketcache
is for client application use if you do not want to password prompt?
Possibly provided by you (or your ide?). Or natively somehow from some
references?
Let me kick around what I'm doing; I may shake loose one of my own cobwebs!
My Server app uses keytabs when it is acting in a Client role to other
Servers on behalf of my Servers Clients.
:)
for example my users log in as themselves, and are authenticated via
Kerberos. I dont' need a keytab for that; they use their own passwords.
my app quickly forgets they ever saw the users password.
then, my app turns around and uses keytab issued from our LDAP team to
allow it to access our LDAP servers for some secret sauce about the
user. Heck, sometimes the user can't get what this keytab allows you to get.
later, if the user decides they want to provision a set of services
elsewhere on campus, my app uses a keytab issues from that elsewhere
group to do so. in this case it is a set of CGI / PHPBB / MYSQL services.
This keytab has no LDAP rights, nor does the LDAP keytab have any
service rights in this other place... heck they're different
organizations! they covet each others budgets!
My application does this a lot so I am caching the tickets I get from
those other servers; as I understand it this will keep down some of the
wire traffic. I originally was thinking "hey, is the cache all fowled up?"
the frustrating bit is that either one of these works on their own. But
if they are both invoked w.in the lifetime of a single JVM the
last-one-in isn't properly decrypted.
what I'm wondering now is if there is some issue with the sequential
keytab evaluation within a single kerberos domain.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
