Issue with kvno
Greg Hudson
ghudson at mit.edu
Fri May 29 17:52:26 EDT 2015
It should be safe, yes.
On 05/29/2015 05:27 PM, vishal wrote:
> So this fix works fine. I tried it ..it sends ff to trusted domain.
>
> is it safe to do this fix? can you please reply.
>
> On Fri, May 29, 2015 at 11:31 AM, vishal <vicky.recw at gmail.com
> <mailto:vicky.recw at gmail.com>> wrote:
>
> It should be -1, wirehark shows as ff.
>
> What do you mean by not easily portable?
>
> I would do just do:
> + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
>
> Would it have any side effect?
>
> On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghudson at mit.edu
> <mailto:ghudson at mit.edu>> wrote:
>
> On 05/29/2015 02:16 PM, vishal wrote:
> > 1. Windows version is 2008r2 as domain controller.
> >
> > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
> > for krbtgt for trusted domain from linux box.
>
> I believe you are actually getting the ticket with kvno -1, not with
> kvno 255. When you see FF as the complete ASN.1 encoding of an
> integer,
> that means -1, not 255.
>
> > 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap
> > service we modify kvno to 4294967295 .
> >
> > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to
> > trusted domain (step 3) and windows kdc likes this packet.
> >
> >
> >
> > I got one old blog :
> >
> >
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
> <http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html>
> >
> > Should I try this fix?
>
> If you don't see issue with 1.6.3, then that is almost certainly the
> change you want, but it may not easily backport to 1.7. 1.10.1 and
> later should have the same workaround.
>
>
>
More information about the Kerberos
mailing list