Kerberos 1.7 and later does not interoperate with AD Read-only DCs

Adam Bernstein abernstein at
Tue Feb 21 13:41:41 EST 2012

On 02/21/2012 10:10 AM, Greg Hudson wrote:
> On 02/20/2012 09:54 PM, Adam Bernstein wrote:
>> Interestingly, this problem does not reproduce using Kerberos 1.6.
> In krb5 1.6 we encode by casting the kvno value (an unsigned int) to
> int, then encode it as a signed value.  There is a comment saying
> "krb5_kvno should be int".  We decode this field as a signed long and
> then cast the result to an unsigned int.  (That means we reject
> RFC4120-conformant kvno values>= 0x80000000 on platforms where long is
> 32-bit.)
> In krb5 1.7-1.10, as you noted, the encoder treats the field as an
> unsigned 32-bit integer, which conforms better to RFC 4120 but generates
> TGS requests which don't interoperate with RODCs using RodcIDs>=
> 0x8000.  The decoder behavior hasn't changed.
> In the trunk, we encode and decode the kvno value as unsigned 32-bit
> numbers, which means we would probably reject the AS reply from an RODC
> with RodcID>= 0x8000.
> I think the most practical solution is to restore the 1.6 behavior,
> treating kvno as a signed 32-bit value when encoding and decoding.
> Although this conflicts with RFC 4120, I think RODCs are the only case
> where kvno values that large are likely to appear in the wild.  If
> you're in a position to test patches, I will run them by you.

Yes, we have a Read-write/read-only DC configuration we can use for 
testing. I've pulled Kerberos 1.10 and built that to verify the behavior 
is the same in this case as 1.7. I can easily apply a patch to Kerberos 
and verify the patch works with the RODC.

Our short-term solution to this issue was to make the following change 
to asn1_k_encode.c:
Index: src/lib/krb5/asn.1/asn1_k_encode.c
--- src/lib/krb5/asn.1/asn1_k_encode.c  (revision 63560)
+++ src/lib/krb5/asn.1/asn1_k_encode.c  (revision 63561)
@@ -146,7 +146,7 @@ optional_encrypted_data (const void *vptr)

  static const struct field_info encrypted_data_fields[] = {
      FIELDOF_NORM(krb5_enc_data, int32, enctype, 0),
-    FIELDOF_OPT(krb5_enc_data, uint, kvno, 1, 1),
+    FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
      FIELDOF_NORM(krb5_enc_data, ostring_data, ciphertext, 2),


> (As an aside, Heimdal appears to treat the EncryptedData kvno field as
> unsigned 32-bit, conformant to RFC 4120.  It probably also doesn't
> interoperate with RODCs with RodcID>= 0x8000.)

More information about the krbdev mailing list