[37018] in Kerberos
Re: Issue with kvno
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri May 29 14:21:18 2015
Message-ID: <5568AE0E.1090509@mit.edu>
Date: Fri, 29 May 2015 14:21:02 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: vishal <vicky.recw@gmail.com>
In-Reply-To: <CAG-wCMtf34+QTPiuxujZB2rgpDM-=vhSJVdvXh=yW5CGU5FiZg@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/29/2015 02:16 PM, vishal wrote:
> 1. Windows version is 2008r2 as domain controller.
>
> 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
> for krbtgt for trusted domain from linux box.
I believe you are actually getting the ticket with kvno -1, not with
kvno 255. When you see FF as the complete ASN.1 encoding of an integer,
that means -1, not 255.
> 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap
> service we modify kvno to 4294967295 .
>
> We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to
> trusted domain (step 3) and windows kdc likes this packet.
>
>
>
> I got one old blog :
>
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html <http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html>
>
> Should I try this fix?
If you don't see issue with 1.6.3, then that is almost certainly the
change you want, but it may not easily backport to 1.7. 1.10.1 and
later should have the same workaround.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
