hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6603) Provide workaround for issue with Kerberos not resolving cross-realm principal
Date Wed, 03 Mar 2010 19:10:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12840810#action_12840810
] 

Kan Zhang commented on HADOOP-6603:
-----------------------------------

> I don't think that the check to make sure the 2 component of the krbtgt is the realm
is necessary.

It's needed since we want to use the original TGS ticket issued by the user's original realm,
not any intermediate TGS tickets that were cached in the Subject by previous operations. Those
intermediate TGS tickets may be issued for realms that are different from the target realm
of the current request, which will cause the current get service ticket operation to fail.

> Provide workaround for issue with Kerberos not resolving cross-realm principal
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-6603
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6603
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Jakob Homan
>         Attachments: HADOOP-6603-Y20S-2.patch, HADOOP-6603-Y20S-3.patch, HADOOP-6603-Y20S.patch
>
>
> Java's SSL-Kerberos implementation does not correctly obtain the principal for cross-realm
principles when clients initiate connections to servers, resulting in the client being unable
to authenticate the server.  We need a work-around until this bug gets fixed.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message