0

If someone could help, that will be greatly appreciated. I am a newbie to Kerberos not sure if this is an obvious question, please excuse me for my newness.

I am in Kerberos configured Windows machine. Two users user1 and user2 have permission to it.

Below is my Java code :

System.setProperty("java.security.krb5.conf", "<JRE Path>\\lib\\security\\<kerb.conf file>");
          
          System.setProperty("java.security.auth.login.config", "jaas.conf");             
          /*
           * Content of jaas.conf:
           * JAAS {
           *    com.sun.security.auth.module.Krb5LoginModule required
           *    useTicketCache=true debug=true;
           *    };
           */
          
          // kinit of user1
          // Content of kinituser1.bat: "<JRE Path>\bin\kinit.exe" -A -k -t "/user1.keytab" "<user1 principal>"           
          String[] cmdScript1 = new String[]{"kinituser1.bat"};           
          Process procScript1 = Runtime.getRuntime().exec(cmdScript1);
          LoginContext context1 = AccessController.doPrivileged(
                    new PrivilegedExceptionAction<LoginContext>() {
                        public LoginContext run() throws LoginException {
                            return new LoginContext("JAAS");
                        }
                    });
          context1.login();
          Subject subject1 = context1.getSubject();           
          System.out.println("Connected as:" + subject1); // This returns the expected user1 user ticket. 
          context1.logout();
          
          
          // kinit of user2
          // Content of kinituser1.bat: "<JRE Path>\bin\kinit.exe" -A -k -t "/user2.keytab" "<user2 principal>"           
          String[] cmdScript2 = new String[]{"kinituser2.bat"};           
          Process procScript2 = Runtime.getRuntime().exec(cmdScript2);
          LoginContext context2 = AccessController.doPrivileged(
                    new PrivilegedExceptionAction<LoginContext>() {
                        public LoginContext run() throws LoginException {
                            return new LoginContext("JAAS");
                        }
                    });
          context2.login();
          Subject subject2 = context2.getSubject();
          System.out.println("Connected as:" + subject2); // Here we are seeing the issue: This is still returning user1 ticket subject, I was expecting user2 here. 
          context2.logout();

On Running above application, inspite of cache getting refreshed with user2 after executing kinituser2.bat, I am getting user1 ticket cache in the context2 subject. And if I swap user1 and user2, user2 ticket details is returned for both the cases. This is giving an impression that irrespective of ticket cache getting updated with other user tickets, initial user ticket is returned always for later LoginContext's.

Did anyone face like above? Can someone tell me if I am missing or doing anything wrong?

seenukarthi
  • 8,241
  • 10
  • 47
  • 68
Jyothsna Ch
  • 1
  • You can create a Kerberos TGT dynamically via JAAS config, without tapping the OS ticket cache. It's more secure _(the creds stay inside your process memory)_; you don't need to bother about another process trashing the cache; and you don't need to bother about the way JAAS refreshes its "context". – Samson Scharfrichter Apr 04 '23 at 07:26
  • Thank you Samson for the inputs, Can you please help me understand creating Kerberos TGT dynamically via JAAS. I tried without ticket cache and using keytabs. But somehow keytab is not working for me. On further debugging observed that, keytab is being picked only when isInitiator=false. Any inputs? – Jyothsna Ch Apr 05 '23 at 09:23
  • My JAAS is like this: JAAS { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false useKeyTab=true KeyTab="" principal="xyz" }; Above keytab is getting picked when I have isInitiator=false set. This is giving me an impression that there seems to be no issue with keytab path and file. But as my application is client I believe isInitiator needs to be set true. Am I missing anything? Any congifuration? – Jyothsna Ch Apr 05 '23 at 09:47
  • https://stackoverflow.com/a/42506620/5162372 – Samson Scharfrichter Apr 06 '23 at 09:44
  • And if you are curious about the structure & syntax of JAAS conf : https://stackoverflow.com/a/45776704/5162372 – Samson Scharfrichter Apr 06 '23 at 09:44
  • Thanks for the link. It finally worked with keytab, had to set useSubjectCredsOnly to false, But with ticket cache it is still not working. Any inputs there? – Jyothsna Ch Apr 10 '23 at 09:54
  • ¯\(°_o)/¯ raise the debugging flags and check how Java reads and validates the JAAS/Kerberos conf (or not). In particular, which ticket cache is used (Windows uses SSPI instead of GSSAPI defaults, some Linux distros use KeyRing which is not supported by Java, etc.) – Samson Scharfrichter Apr 16 '23 at 10:43

0 Answers0