On Fri, 2014-11-07 at 11:15 -0600, Andrew Deason wrote: > It seems likely the 0 kvno is the problem. We only copy in a principal > if the kvno in the keytab is greater than 'vno' in > akimpersonate.c:pick_principal, which starts out at 0. I assume that's > valid and we just hadn't encountered this yet?
I don't think it's supposed to be possible to have a kvno of 0 with a true Kerberos (4 or 5). kaserver, on the other hand, considered it valid and used 0 as the initial kvno; this has caused problems for me in the past when migrating from kaserver to Kerberos. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix openafs kerberos infrastructure xmonad http://sinenomine.net
