[16614] in Kerberos_V5_Development
Re: kvno overflow
daemon@ATHENA.MIT.EDU (Jonathan Reams)
Mon Jan 31 16:13:32 2011
Mime-Version: 1.0 (Apple Message framework v1082)
From: Jonathan Reams <jr3074@columbia.edu>
In-Reply-To: <1296508076.2456.603.camel@ray>
Date: Mon, 31 Jan 2011 16:13:29 -0500
Message-Id: <80AF4A02-50E1-4075-A046-D1ECDA96F3AD@columbia.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Yes, I get
kadmin: Incorrect password while initializing kadmin interface
when authenticating against kadmin using the keytab after the overflow occurs.
On Jan 31, 2011, at 4:07 PM, Greg Hudson wrote:
> On Mon, 2011-01-31 at 15:11 -0500, Jonathan Reams wrote:
>> It looks like there's a difference between how kvnos are handled in keytabs vs the principals database/kadmin. In order to monitor our iprop setup, we have a principal who's key gets added to a keytab once an hour, and when the kvno hit 257, it reset to 0 in the keytab, but not in kadmin.
>
> This is a limitation in the keytab format, and can't be easily fixed
> without invalidating everyone's keytabs. There are provisions in the
> code for most operations to continue working in the presence of kvnos
> exceeding 255. Are you seeing a behavior problem other than the display
> issue?
>
>
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
