Kerberos on Mac

Greg Hudson ghudson at mit.edu
Fri May 12 11:40:33 EDT 2017


On 05/12/2017 11:28 AM, Matt Darwin wrote:
> I’ve written a detailed description of the problem on stack overflow : http://stackoverflow.com/questions/43685086/

I read this, and I don't see in there the server principal name in the
TGS request on macOS and on Linux.  You might be able to obtain that
with wireshark or similar if you can't get it out of the JVM.  That
information, together with knowledge of your DNS configuration, might
provide a hint as to what's going on.

Note that the JVM has its own Kerberos implementation, which is separate
from MIT krb5, Heimdal, or the macOS fork of Heimdal.  (I believe it's
possible to use a shim to force it to call out to the C library, but
from the stack trace it doesn't appear that you're doing that.)  So the
output you're getting from krb5-config --version is irrelevant, as is
using brew to install a newer C library.


More information about the Kerberos mailing list