[17529] in Kerberos_V5_Development
Re: Kerberos 1.7 and later does not interoperate with AD Read-only DCs
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 5 11:07:29 2012
Message-ID: <4F54E2F4.1030203@mit.edu>
Date: Mon, 05 Mar 2012 10:59:48 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <CAK3OfOjwxxbufpto4msBTqZPNzS7zb8SXMbk9EC6hzbPLAjLSQ@mail.gmail.com>
Cc: krbdev@mit.edu, abernstein@beyondtrust.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 02/29/2012 06:37 PM, Nico Williams wrote:
> How does this come up? Via forwarded TGTs with these weird kvnos in
> their enc-part's EncryptedData?
Simpler than that. When you make an AS request, you get back a Ticket,
which has an EncryptedData. We decode that and re-encode it for TGS
requests.
> Also, we're not changing the definition for kvno anywhere else, correct?
On the wire, kvno is apparently only used in EncryptedData. That may
change with CAMMAC (where we want to associate a kvno and enctype with a
Checksum) but for now it's true.
I didn't change any on-disk representation of kvnos.
> Finally: do we have to make sure that kvnos for MIT principals never
> get larger than 2^31 - 1?
Well, we never worried about this in 1.6 and prior (which is the
behavior we're going back to), so I'm not sure it's a problem.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
