[krbdev.mit.edu #7109] Key rollover for MIT/AD cross TGT principals fails due to kvno 0
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Mar 29 16:32:41 EDT 2012
Normally, in a cross-realm relationship from realm A to realm B, the KDC
DB entries for krbtgt/B at A are expected to have the same kvno in both
realms. This kvno is reflected in the kvno field of the enc-part field
of the Ticket issued by realm A's KDC.
Active Directory (at least for some versions) ignores incoming kvnos and
supplies a kvno of 0 for tickets for cross TGTs. When such a ticket is
processed by an MIT KDC, we treat the 0-valued kvno as "the highest
available kvno," possibly as a happy accident of the
kdb_dbe_search_enctype contract. If the ticket corresponds to the
newest version of the cross-realm TGT, this works fine. However, if an
admin tries to roll over the key of cross TGT principal, old cross-realm
tickets will break.
The most robust solution is to try all kvnos if the protocol kvno is 0.
It is possible that newer versions of AD ameliorate this issue, making
it a lower priority, but I'm really not sure. It's worth noting that
(at least) older versions of AD don't support multiple kvnos in their
cross-realm TGTs, so rolling over the MIT->AD cross TGT will necessarily
break old tickets.
More information about the krb5-bugs
mailing list