[krbdev.mit.edu #7109] Key rollover for MIT/AD cross TGT principals fails due to kvno 0
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Mar 29 17:10:43 EDT 2012
After further conversation, it appears that all current versions of AD
have this issue (always using kvno 0 for cross-realm TGTs). They also
have the reverse issue: they don't support multiple keys for their cross-
realm TGT entries, so you can't do key rollover in the MIT->AD direction
without breaking old tickets.
More information about the krb5-bugs
mailing list