grouper kerberos authn should use krb5.conf so multiple kdcs can be used

If you specify the kdc to use, Java will cache that from the system property and you cannot change it while the JVM is running.

System.setProperty("java.security.krb5.realm", Config.retrieveConfig()
.propertyValueString("kerberos.realm"));
System.setProperty("java.security.krb5.kdc", Config.retrieveConfig().propertyValueString("kerberos.kdc.address"));

Those would be: UPENN.EDU and kerberos1.upenn.edu

However, you can instead use the krb5.conf file with Java Kerberos. It looks for it on the system, or you could specify it. I guess we should just specify it or put it in the connectStrings folder:

File krb5confFile = FastFileUtils.fileFromResourceName("krb5.conf");

if (krb5confFile == null)

{ throw new RuntimeException("Cant find krb5.conf!"); }

System.setProperty("java.security.krb5.conf", krb5confFile.getAbsolutePath());

Then you can specify multiple kdcs in the krb5.conf:

[libdefaults]
default_realm = UPENN.EDU
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
UPENN.EDU =

{ kdc = kerberos1.upenn.edu kdc = kerberos2.upenn.edu kdc = kerberos3.upenn.edu admin_server = kerberos1.upenn.edu }

And now it will failover when one is not available (I put in the wrong address, and it worked):

default etypes for default_tkt_enctypes: 16 1.
default etypes for default_tkt_enctypes: 16 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kerberos0.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=178
>>> KrbKdcReq send: kdc=kerberos1.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=178
>>> KDCCommunication: kdc=kerberos1.upenn.edu UDP:88, timeout=30000,Attempt =1, #bytes=178
>>> KrbKdcReq send: #bytes read=292
>>> KrbKdcReq send: #bytes read=292
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
cTime is Fri Oct 19 14:49:57 EDT 2012 1350672597000
sTime is Fri Oct 19 14:49:57 EDT 2012 1350672597000
suSec is 234094
error code is 25
error Message is Additional pre-authentication required
crealm is UPENN.EDU
cname is penngroups_activemq_test/medley.isc-seo.upenn.edu
realm is UPENN.EDU
sname is krbtgt/UPENN.EDU
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 16
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 16
>>>Pre-Authentication Data:
PA-DATA type = 13
KRBError received: NEEDED_PREAUTH
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 16 1.
Pre-Authentication: Set preferred etype = 16
>>>KrbAsReq salt is UPENN.EDUpenngroups_activemq_testmedley.isc-seo.upenn.edu
Pre-Authenticaton: find key for etype = 16
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kerberos0.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=262
>>> KrbKdcReq send: kdc=kerberos1.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=262
>>> KDCCommunication: kdc=kerberos1.upenn.edu UDP:88, timeout=30000,Attempt =1, #bytes=262
>>> KrbKdcReq send: #bytes read=657
>>> KrbKdcReq send: #bytes read=657
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsRep cons in KrbAsReq.getReply penngroups_activemq_test/medley.isc-seo.upenn.edu
default etypes for default_tkt_enctypes: 16 1.
true