Kerberos 1.7 and later does not interoperate with AD Read-only DCs

Greg Hudson ghudson at MIT.EDU
Mon Mar 5 10:59:48 EST 2012

On 02/29/2012 06:37 PM, Nico Williams wrote:
> How does this come up?  Via forwarded TGTs with these weird kvnos in
> their enc-part's EncryptedData?

Simpler than that.  When you make an AS request, you get back a Ticket,
which has an EncryptedData.  We decode that and re-encode it for TGS

> Also, we're not changing the definition for kvno anywhere else, correct?

On the wire, kvno is apparently only used in EncryptedData.  That may
change with CAMMAC (where we want to associate a kvno and enctype with a
Checksum) but for now it's true.

I didn't change any on-disk representation of kvnos.

> Finally: do we have to make sure that kvnos for MIT principals never
> get larger than 2^31 - 1?

Well, we never worried about this in 1.6 and prior (which is the
behavior we're going back to), so I'm not sure it's a problem.

More information about the krbdev mailing list