thanks. can someone please reply to this as well just for my understaning: why do i see kvno in ticket only when i create new trust and join domain..after 1-2 hour of trust creation I do not see kvno in ticket.
On Fri, May 29, 2015 at 2:52 PM, Greg Hudson <ghud...@mit.edu> wrote: > It should be safe, yes. > > On 05/29/2015 05:27 PM, vishal wrote: > > So this fix works fine. I tried it ..it sends ff to trusted domain. > > > > is it safe to do this fix? can you please reply. > > > > On Fri, May 29, 2015 at 11:31 AM, vishal <vicky.r...@gmail.com > > <mailto:vicky.r...@gmail.com>> wrote: > > > > It should be -1, wirehark shows as ff. > > > > What do you mean by not easily portable? > > > > I would do just do: > > + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1), > > > > Would it have any side effect? > > > > On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghud...@mit.edu > > <mailto:ghud...@mit.edu>> wrote: > > > > On 05/29/2015 02:16 PM, vishal wrote: > > > 1. Windows version is 2008r2 as domain controller. > > > > > > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ > was sent > > > for krbtgt for trusted domain from linux box. > > > > I believe you are actually getting the ticket with kvno -1, not > with > > kvno 255. When you see FF as the complete ASN.1 encoding of an > > integer, > > that means -1, not 255. > > > > > 3. Now when we send this ticket in TGS-REQ to tursted domain > for ldap > > > service we modify kvno to 4294967295 . > > > > > > We do not see this issue with kerberos 1.6.3. It sends kvno as > 255 to > > > trusted domain (step 3) and windows kdc likes this packet. > > > > > > > > > > > > I got one old blog : > > > > > > > > > http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html > > < > http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html > > > > > > > > Should I try this fix? > > > > If you don't see issue with 1.6.3, then that is almost certainly > the > > change you want, but it may not easily backport to 1.7. 1.10.1 > and > > later should have the same workaround. > > > > > > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
