So this fix works fine. I tried it ..it sends ff to trusted domain. is it safe to do this fix? can you please reply.
On Fri, May 29, 2015 at 11:31 AM, vishal <[email protected]> wrote: > It should be -1, wirehark shows as ff. > > What do you mean by not easily portable? > > I would do just do: > + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1), > > Would it have any side effect? > > On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <[email protected]> wrote: > >> On 05/29/2015 02:16 PM, vishal wrote: >> > 1. Windows version is 2008r2 as domain controller. >> > >> > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent >> > for krbtgt for trusted domain from linux box. >> >> I believe you are actually getting the ticket with kvno -1, not with >> kvno 255. When you see FF as the complete ASN.1 encoding of an integer, >> that means -1, not 255. >> >> > 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap >> > service we modify kvno to 4294967295 . >> > >> > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to >> > trusted domain (step 3) and windows kdc likes this packet. >> > >> > >> > >> > I got one old blog : >> > >> > >> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html >> < >> http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html >> > >> > >> > Should I try this fix? >> >> If you don't see issue with 1.6.3, then that is almost certainly the >> change you want, but it may not easily backport to 1.7. 1.10.1 and >> later should have the same workaround. >> > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
