Issue with kvno

Greg Hudson ghudson at mit.edu
Fri May 29 14:21:02 EDT 2015


On 05/29/2015 02:16 PM, vishal wrote:
> 1. Windows version is 2008r2 as domain controller.
>  
> 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
> for krbtgt for trusted domain from linux box.

I believe you are actually getting the ticket with kvno -1, not with
kvno 255.  When you see FF as the complete ASN.1 encoding of an integer,
that means -1, not 255.

> 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap
> service we modify kvno to 4294967295 .
>  
> We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to
> trusted domain (step 3) and windows kdc likes this packet.
>
>  
> 
> I got one old blog :
> 
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html <http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html>
> 
> Should I try this fix?

If you don't see issue with 1.6.3, then that is almost certainly the
change you want, but it may not easily backport to 1.7.  1.10.1 and
later should have the same workaround.


More information about the Kerberos mailing list