OK, I think we can agree on that. Please add the changes of KeyTab.java: it should be helpful in future releases.
Thanks, Peter On Wed, Aug 18, 2021, 23:06 Wei-Jun Wang, <weijun.w...@oracle.com> wrote: > I think the new message in KeyTab.java is enough. The added lines in > Krb5LoginModule is a little too long with the try-catch structure. > > —Weijun > > > On Aug 18, 2021, at 1:50 PM, Horváth Péter Gergely < > horvath.peter.gerg...@gmail.com> wrote: > > > > Hi Weijun, > > > > Many thanks for your response. I think that indeed it would make sense > to log in KeyTab, since the FileNotFoundException there should even have > the platform-specific reason message coming from the native layer. > > > > At the same time, I think it would make sense to emit a log message > around the original "Key for the principal ... not available in ..." > message as well. It is probably good to have more context when debugging. > > > > I have created a new patch combining the two approaches. Code in > Krb5LoginModule now relies on the KeyTab exists() call: it is probably > better like that. > > Please take a look and let me know what you think. > > > > Thanks, > > Peter > > > > > > > > > > Wei-Jun Wang <weijun.w...@oracle.com> ezt írta (időpont: 2021. aug. > 17., K, 23:33): > > How do you think if we add some debug info at the internal KeyTab > creation at [1]? > > > > For the 2 exceptions we can print out a line and the > exception.toString(), then you will know if the filename doesn’t exist, or > is a directory, or no permission to read. > > > > Of course, you will need to turn on -Dsun.security.krb5.debug=true to > see this level of debug info. > > > > Thanks, > > Weijun > > > > [1] > https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93 > > > > > > > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely < > horvath.peter.gerg...@gmail.com> wrote: > > > > > > Dear All, > > > > > > I am wondering if someone would be kind enough to sponsor the > following small change: > > > > > > When debugging is enabled for > com.sun.security.auth.module.Krb5LoginModule and the file specified by > "keyTab" is not found, Krb5LoginModule simply emits a generic message, > similar to this: > > > "Key for the principal foo...@acme.com not available in > /home/foobar/foobar.keytab" > > > > > > This message can be quite confusing and counterintuitive if the file > is actually not there, because, based on the message, one would think that > the JVM probed the file, found it, loaded the data, but still could not use > the keytab data for authentication. > > > > > > I would propose adding further debug logging to Krb5LoginModule so as > to emit a warning in case the key was not found, due to the file not being > present, readable or a being a directory. > > > > > > Please find attached the patch file: it is trivial, and only affects a > debug branch of the code. > > > > > > Please let me know what you think. > > > > > > Thanks, > > > Peter > > > <keyTab_file_checks.patch> > > > > <keyTab_file_checks2.patch> > >
