Issue with kvno

vishal vicky.recw at gmail.com
Fri May 29 19:47:21 EDT 2015 

thanks.
can someone please reply to this as well just for my understaning:

why do i see kvno in ticket only when i create new trust and join
domain..after 1-2 hour of trust creation I do not see kvno in ticket.

On Fri, May 29, 2015 at 2:52 PM, Greg Hudson <ghudson at mit.edu> wrote:

> It should be safe, yes.
>
> On 05/29/2015 05:27 PM, vishal wrote:
> > So this fix works fine. I tried it ..it sends ff to trusted domain.
> >
> > is it safe to do this fix? can you please reply.
> >
> > On Fri, May 29, 2015 at 11:31 AM, vishal <vicky.recw at gmail.com
> > <mailto:vicky.recw at gmail.com>> wrote:
> >
> >     It should be -1, wirehark shows as ff.
> >
> >     What do you mean by not easily portable?
> >
> >     I would do just do:
> >     + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
> >
> >     Would it have any side effect?
> >
> >     On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghudson at mit.edu
> >     <mailto:ghudson at mit.edu>> wrote:
> >
> >         On 05/29/2015 02:16 PM, vishal wrote:
> >         > 1. Windows version is 2008r2 as domain controller.
> >         >
> >         > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ
> was sent
> >         > for krbtgt for trusted domain from linux box.
> >
> >         I believe you are actually getting the ticket with kvno -1, not
> with
> >         kvno 255.  When you see FF as the complete ASN.1 encoding of an
> >         integer,
> >         that means -1, not 255.
> >
> >         > 3. Now when we send this ticket in TGS-REQ to tursted domain
> for ldap
> >         > service we modify kvno to 4294967295 .
> >         >
> >         > We do not see this issue with kerberos 1.6.3. It sends kvno as
> 255 to
> >         > trusted domain (step 3) and windows kdc likes this packet.
> >         >
> >         >
> >         >
> >         > I got one old blog :
> >         >
> >         >
> >
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
> >         <
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
> >
> >         >
> >         > Should I try this fix?
> >
> >         If you don't see issue with 1.6.3, then that is almost certainly
> the
> >         change you want, but it may not easily backport to 1.7.  1.10.1
> and
> >         later should have the same workaround.
> >
> >
> >
>

More information about the Kerberos mailing list