How do you think if we add some debug info at the internal KeyTab creation at [1]?
For the 2 exceptions we can print out a line and the exception.toString(), then you will know if the filename doesn’t exist, or is a directory, or no permission to read. Of course, you will need to turn on -Dsun.security.krb5.debug=true to see this level of debug info. Thanks, Weijun [1] https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93 > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely > <horvath.peter.gerg...@gmail.com> wrote: > > Dear All, > > I am wondering if someone would be kind enough to sponsor the following small > change: > > When debugging is enabled for com.sun.security.auth.module.Krb5LoginModule > and the file specified by "keyTab" is not found, Krb5LoginModule simply emits > a generic message, similar to this: > "Key for the principal foo...@acme.com not available in > /home/foobar/foobar.keytab" > > This message can be quite confusing and counterintuitive if the file is > actually not there, because, based on the message, one would think that the > JVM probed the file, found it, loaded the data, but still could not use the > keytab data for authentication. > > I would propose adding further debug logging to Krb5LoginModule so as to emit > a warning in case the key was not found, due to the file not being present, > readable or a being a directory. > > Please find attached the patch file: it is trivial, and only affects a debug > branch of the code. > > Please let me know what you think. > > Thanks, > Peter > <keyTab_file_checks.patch>
