Ok. I followed your indications. I have the 02 LL, being LL 01. So only one byte is highlighted : 05. So, It is not a long value... it doesn't correspond with your problem description but I've been comparing the captures of my two tests:
1. Not forwarding cross realm authentication directly from the ssh server to access the NFS server (using RODC W2008), result it works. 2. Ticket forwarding cross realm authentication from my desktop computer using a regular w2008 DC to the ssh server and then from there, try to access the NFS server but this time requesting the service ticket to a RODC using the forwarded ticket from my W2008 server. Result in doesnt work. For me the main difference is that the field Name-Type is not being set. In the first case the in the Name-Type is set to Service and Instance in TGS Request. In the second case is set to unknown and Windows Server 2008 R2 RODC insists on TGS principal names having the name type. Could it be that the Name-Type must be setted somewhere else? TGS-REG Capture image in the Case 2 : http://imageshack.us/photo/my-images/526/kerberos.jpg/ ________________________________________ From: Sebastian Galiano Sent: 17 April 2012 09:07 To: Greg Hudson Cc: [email protected] Subject: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem Ok. I followed your indications. As you can see in the capture I have the 02 LL, being LL 01. So 1 only one byte is highlighted , 05. So, It is not a long value... ________________________________________ From: Greg Hudson [[email protected]] Sent: 16 April 2012 17:20 To: Sebastian Galiano Cc: [email protected] Subject: Re: Kerberos, Windows2008 RODC and ticket forwarding Problem On 04/16/2012 10:36 AM, Sebastian Galiano wrote: > I applied the patches to my clients, and still not working. Is there any way > to test if the enconding has been placed correctly? Should I also apply the > patch to the kdc? No, it's not necessary to apply it to the KDC. If you're using wireshark, you can look at how the kvno is encoded in a TGS request. Expand the PA-TGS-REQ padata item, then the type and value, then the Ticket in there, and then click on the Tkt-vno field. Now look at the hex window below. You should see "02 LL" followed by some highlighted bytes, where LL is between 01 and 05 and is equal to the number of highlighted bytes. For a TGS request to a Windows RODC, the kvno value will be large. The interop issue arises when the kvno is between 2147483648 and 4294967295. If such a value is encoded with five bytes, then the fix hasn't been properly applied and the kvno encoding issue is your problem. If it's encoded with four bytes, the interop fix has been properly applied and your problem lies elsewhere. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
