[37022] in Kerberos
Re: Issue with kvno
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri May 29 17:52:51 2015
Message-ID: <5568DF9A.2060109@mit.edu>
Date: Fri, 29 May 2015 17:52:26 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: vishal <vicky.recw@gmail.com>
In-Reply-To: <CAG-wCMtsxhSiZe=cvVHyWHPMEd_SWB16vx=As0=d27VwCu0-ig@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
It should be safe, yes.
On 05/29/2015 05:27 PM, vishal wrote:
> So this fix works fine. I tried it ..it sends ff to trusted domain.
>
> is it safe to do this fix? can you please reply.
>
> On Fri, May 29, 2015 at 11:31 AM, vishal <vicky.recw@gmail.com
> <mailto:vicky.recw@gmail.com>> wrote:
>
> It should be -1, wirehark shows as ff.
>
> What do you mean by not easily portable?
>
> I would do just do:
> + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
>
> Would it have any side effect?
>
> On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghudson@mit.edu
> <mailto:ghudson@mit.edu>> wrote:
>
> On 05/29/2015 02:16 PM, vishal wrote:
> > 1. Windows version is 2008r2 as domain controller.
> >
> > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
> > for krbtgt for trusted domain from linux box.
>
> I believe you are actually getting the ticket with kvno -1, not with
> kvno 255. When you see FF as the complete ASN.1 encoding of an
> integer,
> that means -1, not 255.
>
> > 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap
> > service we modify kvno to 4294967295 .
> >
> > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to
> > trusted domain (step 3) and windows kdc likes this packet.
> >
> >
> >
> > I got one old blog :
> >
> >
> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html
> <http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html>
> >
> > Should I try this fix?
>
> If you don't see issue with 1.6.3, then that is almost certainly the
> change you want, but it may not easily backport to 1.7. 1.10.1 and
> later should have the same workaround.
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
