referrals and canonicalization

Ben Gooley bgooley at cloudera.com
Thu Feb 27 14:36:22 EST 2020


Hi Isaac,

Thanks... for reference, Java enabled both referrals and canonicalization
requests by its clients in recent releases of OpenJDK:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8223172

This means that if an upgrade is done and they are using an Active
Directory KDC, hadoop's use of Kerberos breaks because AD returns the
sAMAccountName in reply to the canonicalization.

In any case, part of OpenJDK's move was to align with other distros (like
MIT Kerberos) but they veered off when they supported canonicalization by
default.
We'll likely open a bug with OpenJDK, so I wanted to confirm the behavior
of MIT's implementation as a reference to argue that Java should NOT
canonicalize by default and that it should use krb5.conf's configuration.

Greg just confirmed the behavior I was questioning;  I appreciate the
responses.

Thanks everyone!

On Thu, Feb 27, 2020 at 11:24 AM Isaac Boukris <iboukris at gmail.com> wrote:

> On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <bgooley at cloudera.com> wrote:
> >
> > Hello everyone,
> >
> > Java just decided to support Kerberos referrals and canonicalization and
> it
> > is turned on by default.
> > This brings up a question about implementation in MIT Kerberos:
> >
> > Does MIT Kerberos support referrals by default or must canonicalization
> be
> > turned on in order to handle referrals?
>
> Can you be more specific, what use case exactly do you have in mind.
> Roughly, I think in MIT, both client and KDC won't do referrals if the
> canonicalize flag was not set on the request, but it is often set
> automatically.
>
> BTW, I my opinion, we shouldn't care about the canonicalize flag for
> referrals. Windows doesn't seem to really care either (they'll return
> both client and server referrals, even with the flag off), I think MS
> just abused this flag in RFC 6806 as a generic excuse flag whenever
> they deviated from RFC 4120 (while they only use the flag for
> canoicalization purposes).
>


-- 
*Ben Gooley* | Principal Program Manager
t. +1 (650) 505-5211
cloudera.com <https://www.cloudera.com>

[image: Cloudera] <https://www.cloudera.com/>
[image: Cloudera on Twitter] <https://twitter.com/cloudera> [image:
Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera
on LinkedIn] <https://www.linkedin.com/company/cloudera>
<https://www.cloudera.com/>
------------------------------


More information about the Kerberos mailing list