[37021] in Kerberos
Re: Issue with kvno
daemon@ATHENA.MIT.EDU (vishal)
Fri May 29 17:27:40 2015
MIME-Version: 1.0
In-Reply-To: <CAG-wCMsSyaOUx0LCx++9gwcPvd1ZH+5z9zyL2weSoJfs-Oompg@mail.gmail.com>
Date: Fri, 29 May 2015 14:27:10 -0700
Message-ID: <CAG-wCMtsxhSiZe=cvVHyWHPMEd_SWB16vx=As0=d27VwCu0-ig@mail.gmail.com>
From: vishal <vicky.recw@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
So this fix works fine. I tried it ..it sends ff to trusted domain.
is it safe to do this fix? can you please reply.
On Fri, May 29, 2015 at 11:31 AM, vishal <vicky.recw@gmail.com> wrote:
> It should be -1, wirehark shows as ff.
>
> What do you mean by not easily portable?
>
> I would do just do:
> + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
>
> Would it have any side effect?
>
> On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghudson@mit.edu> wrote:
>
>> On 05/29/2015 02:16 PM, vishal wrote:
>> > 1. Windows version is 2008r2 as domain controller.
>> >
>> > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
>> > for krbtgt for trusted domain from linux box.
>>
>> I believe you are actually getting the ticket with kvno -1, not with
>> kvno 255. When you see FF as the complete ASN.1 encoding of an integer,
>> that means -1, not 255.
>>
>> > 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap
>> > service we modify kvno to 4294967295 .
>> >
>> > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to
>> > trusted domain (step 3) and windows kdc likes this packet.
>> >
>> >
>> >
>> > I got one old blog :
>> >
>> >
>> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
>> <
>> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
>> >
>> >
>> > Should I try this fix?
>>
>> If you don't see issue with 1.6.3, then that is almost certainly the
>> change you want, but it may not easily backport to 1.7. 1.10.1 and
>> later should have the same workaround.
>>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
