[
https://issues.apache.org/jira/browse/HADOOP-6603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12840810#action_12840810
]
Kan Zhang commented on HADOOP-6603:
-----------------------------------
> I don't think that the check to make sure the 2 component of the krbtgt is
> the realm is necessary.
It's needed since we want to use the original TGS ticket issued by the user's
original realm, not any intermediate TGS tickets that were cached in the
Subject by previous operations. Those intermediate TGS tickets may be issued
for realms that are different from the target realm of the current request,
which will cause the current get service ticket operation to fail.
> Provide workaround for issue with Kerberos not resolving cross-realm principal
> ------------------------------------------------------------------------------
>
> Key: HADOOP-6603
> URL: https://issues.apache.org/jira/browse/HADOOP-6603
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Jakob Homan
> Attachments: HADOOP-6603-Y20S-2.patch, HADOOP-6603-Y20S-3.patch,
> HADOOP-6603-Y20S.patch
>
>
> Java's SSL-Kerberos implementation does not correctly obtain the principal
> for cross-realm principles when clients initiate connections to servers,
> resulting in the client being unable to authenticate the server. We need a
> work-around until this bug gets fixed.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
