From hahnt at us.ibm.com Thu Jun 1 11:57:18 2006 From: hahnt at us.ibm.com (Timothy Hahn) Date: Thu, 1 Jun 2006 11:57:18 -0400 Subject: [kdc-schema] Fw: [Kdc-info] Preliminary draft of LDAP Kerberos schema Message-ID: Nico, I discussed this proposal with my colleague John McGarvey. John made the excellent point that it is likely easier and more efficient to have a "KDC schema version" stored somewhere which would apply across the set of attributes and object classes used. Then, if some change needs to be made, the "schema version" could be updated as necessary. This would alleviate the potential for having to store attribute value-level version information. Regards, Tim Hahn Internet: hahnt at us.ibm.com Internal: Timothy Hahn/Durham/IBM at IBMUS phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2530 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mit.edu/pipermail/kdc-schema/attachments/20060601/5bee5fd5/attachment.htm From raeburn at MIT.EDU Fri Jun 16 14:08:10 2006 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 16 Jun 2006 14:08:10 -0400 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: <4492D70E.42B1.00F1.0@novell.com> References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> <4492D70E.42B1.00F1.0@novell.com> Message-ID: On Jun 16, 2006, at 06:41, K.G. Gokulavasan wrote: > Sorry for the late reply. Versioning will be included as part of the > attribute. As there already exists deployment of this schema, I will > rename the attribute. Master Key vno is already part of krbSecretKey > attribute(5th & 6th bytes). Is 16-bit not sufficient for kvno and > master > kvno (it can have value upto 65535)? I understood that the Microsoft implementation, or at least one version of it, used a timestamp to generate the kvno, not a sequence of small integers. The RFC 4120 protocol allows for 32-bit unsigned kvno values. Ken From lukeh at padl.com Fri Jun 16 17:34:38 2006 From: lukeh at padl.com (Luke Howard) Date: Sat, 17 Jun 2006 07:34:38 +1000 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> <4492D70E.42B1.00F1.0@novell.com> Message-ID: <200606162134.k5GLYdEl086201@au.padl.com> >I understood that the Microsoft implementation, or at least one >version of it, used a timestamp to generate the kvno, not a sequence >of small integers. The RFC 4120 protocol allows for 32-bit unsigned >kvno values. Was this pre-W2K3? I thought the kvno was fixed in W2K and the value of monotonically increasing msDS-KeyVersionNumber attribute in W2K3. -- Luke -- From Nicolas.Williams at sun.com Fri Jun 16 17:43:19 2006 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Fri, 16 Jun 2006 16:43:19 -0500 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: <200606162134.k5GLYdEl086201@au.padl.com> References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> <4492D70E.42B1.00F1.0@novell.com> <200606162134.k5GLYdEl086201@au.padl.com> Message-ID: <20060616214319.GK5688@binky.Central.Sun.COM> On Sat, Jun 17, 2006 at 07:34:38AM +1000, Luke Howard wrote: > > >I understood that the Microsoft implementation, or at least one > >version of it, used a timestamp to generate the kvno, not a sequence > >of small integers. The RFC 4120 protocol allows for 32-bit unsigned > >kvno values. > > Was this pre-W2K3? I thought the kvno was fixed in W2K and the value > of monotonically increasing msDS-KeyVersionNumber attribute in W2K3. Nonetheless... Also, can someone confirm if the Novell idea is to store in krbSecretKey pretty much the same stuff that the MIT db2 backend stores? From raeburn at MIT.EDU Fri Jun 16 18:08:35 2006 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 16 Jun 2006 18:08:35 -0400 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: <200606162134.k5GLYdEl086201@au.padl.com> References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> <4492D70E.42B1.00F1.0@novell.com> <200606162134.k5GLYdEl086201@au.padl.com> Message-ID: <8D6C5B10-32C8-482E-9539-9D0E170B0FDC@MIT.EDU> On Jun 16, 2006, at 17:34, Luke Howard wrote: >> I understood that the Microsoft implementation, or at least one >> version of it, used a timestamp to generate the kvno, not a sequence >> of small integers. The RFC 4120 protocol allows for 32-bit unsigned >> kvno values. > > Was this pre-W2K3? I thought the kvno was fixed in W2K and the value > of monotonically increasing msDS-KeyVersionNumber attribute in W2K3. I don't recall what version. It's also possible I'm remembering wrong and it's just something they mentioned possibly doing, or in development versions, or something. I thought the notion did come from MS though. But in any case, as the RFC allows for it, and it would be practical under 4120 for the next several decades (32-bit seconds => 136 years, unsigned means 1970-2106), I don't think the schema should prohibit it. (And by 2106 I expect we'll have revised the data format again.) Ken From kgokulavasan at novell.com Fri Jun 16 06:41:11 2006 From: kgokulavasan at novell.com (K.G. Gokulavasan) Date: Fri, 16 Jun 2006 04:41:11 -0600 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: <20060531193513.GM11607@binky.Central.Sun.COM> References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> Message-ID: <4492D70E.42B1.00F1.0@novell.com> >>> On 6/1/06 at 1:05 AM, in message <20060531193513.GM11607 at binky.Central.Sun.COM>, Nicolas Williams wrote: > On Mon, Jan 30, 2006 at 10:45:09PM -0700, Rajasekaran Nagarajan wrote: >> Hi Nico: >> >> Thanks very much for your comments. I shall appropriately incorporate >> these comments in the draft and post the updated draft soon. > > Well? > > BTW, MIT is getting close to shipping and I'm concerned. I'm > particularly concerned about the lack of versioning of the krbSecretKey > attribute, the 16-bit kvno, the lack of a master key vno, etc... > > I think MIT ought to fix this now if at all possible. If there exist > deployments of this schema then rename krbSecretKey now and fix its > contents' format. > Sorry for the late reply. Versioning will be included as part of the attribute. As there already exists deployment of this schema, I will rename the attribute. Master Key vno is already part of krbSecretKey attribute(5th & 6th bytes). Is 16-bit not sufficient for kvno and master kvno (it can have value upto 65535)? Regards, Gokul. From jhutz at cmu.edu Sun Jun 18 01:37:13 2006 From: jhutz at cmu.edu (Jeffrey Hutzelman) Date: Sun, 18 Jun 2006 01:37:13 -0400 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: <8D6C5B10-32C8-482E-9539-9D0E170B0FDC@MIT.EDU> References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> <4492D70E.42B1.00F1.0@novell.com> <200606162134.k5GLYdEl086201@au.padl.com> <8D6C5B10-32C8-482E-9539-9D0E170B0FDC@MIT.EDU> Message-ID: On Friday, June 16, 2006 06:08:35 PM -0400 Ken Raeburn wrote: > On Jun 16, 2006, at 17:34, Luke Howard wrote: >>> I understood that the Microsoft implementation, or at least one >>> version of it, used a timestamp to generate the kvno, not a sequence >>> of small integers. The RFC 4120 protocol allows for 32-bit unsigned >>> kvno values. >> >> Was this pre-W2K3? I thought the kvno was fixed in W2K and the value >> of monotonically increasing msDS-KeyVersionNumber attribute in W2K3. > > I don't recall what version. It's also possible I'm remembering > wrong and it's just something they mentioned possibly doing, or in > development versions, or something. I thought the notion did come > from MS though. > > But in any case, as the RFC allows for it, and it would be practical > under 4120 for the next several decades (32-bit seconds => 136 years, > unsigned means 1970-2106), I don't think the schema should prohibit > it. (And by 2106 I expect we'll have revised the data format again.) Of course, RFC4120 is relevant only for the prinicpal kvno. Since the mkvno never actually appears on the wire... From hartmans at MIT.EDU Mon Jun 19 15:25:13 2006 From: hartmans at MIT.EDU (Sam Hartman) Date: Mon, 19 Jun 2006 15:25:13 -0400 Subject: [kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: (Jeffrey Hutzelman's message of "Sun, 18 Jun 2006 01:37:13 -0400") References: <20060120201951.GA26500@binky.Central.Sun.COM> <43DF4672.4E7A.000F.0@novell.com> <20060531193513.GM11607@binky.Central.Sun.COM> <4492D70E.42B1.00F1.0@novell.com> <200606162134.k5GLYdEl086201@au.padl.com> <8D6C5B10-32C8-482E-9539-9D0E170B0FDC@MIT.EDU> Message-ID: Microsoft did have a beta that used timestamps for kvno. The problem with this was that it interacted badly with MIT and Heimdal keytabs.