Skip to content

Fix proxy SPNego authentication to respect krb5.conf canonicalization settings. #541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 3, 2025
Merged

Fix proxy SPNego authentication to respect krb5.conf canonicalization settings. #541

merged 2 commits into from
Nov 3, 2025

Conversation

@renaudhartert-db
Copy link
Contributor

@renaudhartert-db renaudhartert-db commented Oct 31, 2025

This PR changes SPNegoSchemeFactory constructor in ProxyUtils.java to use useCanonicalHostname=false, deferring hostname canonicalization to the Kerberos library based on krb5.conf configuration instead of forcing it at the SDK level.

The previous implementation forced hostname canonicalization for proxy Kerberos authentication, overriding user-configured krb5.conf settings (rdns, dns_canonicalize_hostname). This caused authentication failures in environments with specific Kerberos configurations.

Client libraries should respect system Kerberos configuration rather than override it. This fix makes the SDK compliant with standard Kerberos behavior.

Migration note: Users whose non-compliant Kerberos setups were accidentally working due to forced canonicalization may need to verify their krb5.conf settings are correctly configured.

@github-actions
Copy link

github-actions bot commented Oct 31, 2025

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

  • PR number: 541
  • Commit SHA: 41a619b7a87817a3eacfe26685f0770cfde8e7e1

Checks will be approved automatically on success.

Divyansh-db
Divyansh-db approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@Divyansh-db Divyansh-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@renaudhartert-db renaudhartert-db added this pull request to the merge queue Nov 3, 2025
Merged via the queue into main with commit 586a832 Nov 3, 2025
16 checks passed
@renaudhartert-db renaudhartert-db deleted the renaud-hartert_data/proxy branch November 3, 2025 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Divyansh-db Divyansh-db Divyansh-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renaudhartert-db @Divyansh-db