[krbdev.mit.edu #7432] krb5-1.10.3: Updating krbtgt with kvno 0
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Oct 26 01:02:41 EDT 2012
I understand the problem. For this specific deployment issue, you might
consider whether it would work to alter the krbtgt DB entry such that the
kvno in the key data 1 but the keys are the same, then wait for all of
the tickets to turn over.
Further confounding the issue, we use a kvno of 0 to represent an omitted
kvno field in the ASN.1 marshalling of krb5_enc_data, both incoming and
outgoing. So, for instance, I understand that Active Directory KDCs
generally omit the kvno in a cross-realm TGT, and we have code in the
current kdc_rd_ap_req() which handles that by checking the last few
kvnos. That code relies on the omitted kvno translating to a value which
means "the most recent kvno" to the search function.
More information about the krb5-bugs
mailing list