Issue with kvno
vishal
vicky.recw at gmail.com
Fri May 29 14:31:58 EDT 2015
It should be -1, wirehark shows as ff.
What do you mean by not easily portable?
I would do just do:
+ FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
Would it have any side effect?
On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 05/29/2015 02:16 PM, vishal wrote:
> > 1. Windows version is 2008r2 as domain controller.
> >
> > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
> > for krbtgt for trusted domain from linux box.
>
> I believe you are actually getting the ticket with kvno -1, not with
> kvno 255. When you see FF as the complete ASN.1 encoding of an integer,
> that means -1, not 255.
>
> > 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap
> > service we modify kvno to 4294967295 .
> >
> > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to
> > trusted domain (step 3) and windows kdc likes this packet.
> >
> >
> >
> > I got one old blog :
> >
> >
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
> <
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
> >
> >
> > Should I try this fix?
>
> If you don't see issue with 1.6.3, then that is almost certainly the
> change you want, but it may not easily backport to 1.7. 1.10.1 and
> later should have the same workaround.
>
More information about the Kerberos
mailing list