Kerberos 1.7 and later does not interoperate with AD Read-only DCs
ghudson at MIT.EDU
Mon Mar 5 10:59:48 EST 2012
On 02/29/2012 06:37 PM, Nico Williams wrote:
> How does this come up? Via forwarded TGTs with these weird kvnos in
> their enc-part's EncryptedData?
Simpler than that. When you make an AS request, you get back a Ticket,
which has an EncryptedData. We decode that and re-encode it for TGS
> Also, we're not changing the definition for kvno anywhere else, correct?
On the wire, kvno is apparently only used in EncryptedData. That may
change with CAMMAC (where we want to associate a kvno and enctype with a
Checksum) but for now it's true.
I didn't change any on-disk representation of kvnos.
> Finally: do we have to make sure that kvnos for MIT principals never
> get larger than 2^31 - 1?
Well, we never worried about this in 1.6 and prior (which is the
behavior we're going back to), so I'm not sure it's a problem.
More information about the krbdev