I think the new message in KeyTab.java is enough. The added lines in Krb5LoginModule is a little too long with the try-catch structure.
—Weijun > On Aug 18, 2021, at 1:50 PM, Horváth Péter Gergely > <horvath.peter.gerg...@gmail.com> wrote: > > Hi Weijun, > > Many thanks for your response. I think that indeed it would make sense to log > in KeyTab, since the FileNotFoundException there should even have the > platform-specific reason message coming from the native layer. > > At the same time, I think it would make sense to emit a log message around > the original "Key for the principal ... not available in ..." message as > well. It is probably good to have more context when debugging. > > I have created a new patch combining the two approaches. Code in > Krb5LoginModule now relies on the KeyTab exists() call: it is probably better > like that. > Please take a look and let me know what you think. > > Thanks, > Peter > > > > > Wei-Jun Wang <weijun.w...@oracle.com> ezt írta (időpont: 2021. aug. 17., K, > 23:33): > How do you think if we add some debug info at the internal KeyTab creation at > [1]? > > For the 2 exceptions we can print out a line and the exception.toString(), > then you will know if the filename doesn’t exist, or is a directory, or no > permission to read. > > Of course, you will need to turn on -Dsun.security.krb5.debug=true to see > this level of debug info. > > Thanks, > Weijun > > [1] > https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93 > > > > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely > > <horvath.peter.gerg...@gmail.com> wrote: > > > > Dear All, > > > > I am wondering if someone would be kind enough to sponsor the following > > small change: > > > > When debugging is enabled for com.sun.security.auth.module.Krb5LoginModule > > and the file specified by "keyTab" is not found, Krb5LoginModule simply > > emits a generic message, similar to this: > > "Key for the principal foo...@acme.com not available in > > /home/foobar/foobar.keytab" > > > > This message can be quite confusing and counterintuitive if the file is > > actually not there, because, based on the message, one would think that the > > JVM probed the file, found it, loaded the data, but still could not use the > > keytab data for authentication. > > > > I would propose adding further debug logging to Krb5LoginModule so as to > > emit a warning in case the key was not found, due to the file not being > > present, readable or a being a directory. > > > > Please find attached the patch file: it is trivial, and only affects a > > debug branch of the code. > > > > Please let me know what you think. > > > > Thanks, > > Peter > > <keyTab_file_checks.patch> > > <keyTab_file_checks2.patch>
