It should be safe, yes.
On 05/29/2015 05:27 PM, vishal wrote: > So this fix works fine. I tried it ..it sends ff to trusted domain. > > is it safe to do this fix? can you please reply. > > On Fri, May 29, 2015 at 11:31 AM, vishal <vicky.r...@gmail.com > <mailto:vicky.r...@gmail.com>> wrote: > > It should be -1, wirehark shows as ff. > > What do you mean by not easily portable? > > I would do just do: > + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1), > > Would it have any side effect? > > On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghud...@mit.edu > <mailto:ghud...@mit.edu>> wrote: > > On 05/29/2015 02:16 PM, vishal wrote: > > 1. Windows version is 2008r2 as domain controller. > > > > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was > sent > > for krbtgt for trusted domain from linux box. > > I believe you are actually getting the ticket with kvno -1, not with > kvno 255. When you see FF as the complete ASN.1 encoding of an > integer, > that means -1, not 255. > > > 3. Now when we send this ticket in TGS-REQ to tursted domain for > ldap > > service we modify kvno to 4294967295 . > > > > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 > to > > trusted domain (step 3) and windows kdc likes this packet. > > > > > > > > I got one old blog : > > > > > > http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html > > <http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html> > > > > Should I try this fix? > > If you don't see issue with 1.6.3, then that is almost certainly the > change you want, but it may not easily backport to 1.7. 1.10.1 and > later should have the same workaround. > > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
