Hi Isaac, Thanks... for reference, Java enabled both referrals and canonicalization requests by its clients in recent releases of OpenJDK: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8223172
This means that if an upgrade is done and they are using an Active Directory KDC, hadoop's use of Kerberos breaks because AD returns the sAMAccountName in reply to the canonicalization. In any case, part of OpenJDK's move was to align with other distros (like MIT Kerberos) but they veered off when they supported canonicalization by default. We'll likely open a bug with OpenJDK, so I wanted to confirm the behavior of MIT's implementation as a reference to argue that Java should NOT canonicalize by default and that it should use krb5.conf's configuration. Greg just confirmed the behavior I was questioning; I appreciate the responses. Thanks everyone! On Thu, Feb 27, 2020 at 11:24 AM Isaac Boukris <[email protected]> wrote: > On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <[email protected]> wrote: > > > > Hello everyone, > > > > Java just decided to support Kerberos referrals and canonicalization and > it > > is turned on by default. > > This brings up a question about implementation in MIT Kerberos: > > > > Does MIT Kerberos support referrals by default or must canonicalization > be > > turned on in order to handle referrals? > > Can you be more specific, what use case exactly do you have in mind. > Roughly, I think in MIT, both client and KDC won't do referrals if the > canonicalize flag was not set on the request, but it is often set > automatically. > > BTW, I my opinion, we shouldn't care about the canonicalize flag for > referrals. Windows doesn't seem to really care either (they'll return > both client and server referrals, even with the flag off), I think MS > just abused this flag in RFC 6806 as a generic excuse flag whenever > they deviated from RFC 4120 (while they only use the flag for > canoicalization purposes). > -- *Ben Gooley* | Principal Program Manager t. +1 (650) 505-5211 cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> <https://www.cloudera.com/> ------------------------------ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
