[37015] in Kerberos
Re: Issue with kvno
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri May 29 12:21:10 2015
Message-ID: <5568912B.4030702@mit.edu>
Date: Fri, 29 May 2015 12:17:47 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, vishal <vicky.recw@gmail.com>
In-Reply-To: <alpine.GSO.1.10.1505291143520.22210@multics.mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Vishal found issue #7092 (worked around in 1.10.1) which may provide
some clues:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7092
http://mailman.mit.edu/pipermail/krbdev/2012-February/010699.html
and also provided a little more information. Apparently the incoming
kvno (I assume from the Ticket in an AS-REP) is encoded by Windows as
FF, and is sent outgoing (I assume as part of the Ticket in a TGS-REQ)
as 00 FF FF FF FF. No RODC is involved.
FF is the encoding of -1, not 255. I believe MIT krb5 1.10.1 and later
would round-trip this as FF, but I'm not sure if Windows would like that
either. Does the home domain have the kvno set to -1 for some reason?
What implementation of Kerberos is runing on that KDC?
On 05/29/2015 11:45 AM, Benjamin Kaduk wrote:
> I don't have a definite answer for you, but:
>
> 1.7 is very old.
>
> 4294967295 is 0xffffffff is -1 as a 32-bit twos-complement integer
>
> 255 is 0xff is -1 as an 8-bit twos-complement integer.
>
> kvnos are supposed to be unsigned integers, but krb5 prior to 1.10 (and
> evern moreso prior to 1.6) had bugs where they were treated as signed
> quantities.
>
> -Ben Kaduk
>
>
> On Thu, 28 May 2015, vishal wrote:
>
>> Hi,
>>
>> I did not get any answer for my query:
>>
>> "
>> Hi,
>>
>> I see an issue with kvno with kerberos version 1.7 where linux server is
>> sending the kvno to trusted domain as 4294967295 while it gets this as 255
>> from home domain.
>>
>> Is this an known issue?
>>
>> Thanks,
>> Vishal"
>>
>>
>>
>> On Tue, May 26, 2015 at 11:07 PM, vishal <vicky.recw@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I see an issue with kvno with kerberos version 1.7 where linux server is
>>> sending the kvno to trusted domain as 4294967295 while it gets this as 255
>>> from home domain.
>>>
>>> Is this an known issue?
>>>
>>> Thanks,
>>> Vishal
>>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
