It should be -1, wirehark shows as ff. What do you mean by not easily portable?
I would do just do: + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1), Would it have any side effect? On Fri, May 29, 2015 at 11:21 AM, Greg Hudson <ghud...@mit.edu> wrote: > On 05/29/2015 02:16 PM, vishal wrote: > > 1. Windows version is 2008r2 as domain controller. > > > > 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent > > for krbtgt for trusted domain from linux box. > > I believe you are actually getting the ticket with kvno -1, not with > kvno 255. When you see FF as the complete ASN.1 encoding of an integer, > that means -1, not 255. > > > 3. Now when we send this ticket in TGS-REQ to tursted domain for ldap > > service we modify kvno to 4294967295 . > > > > We do not see this issue with kerberos 1.6.3. It sends kvno as 255 to > > trusted domain (step 3) and windows kdc likes this packet. > > > > > > > > I got one old blog : > > > > > http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html > < > http://kerberos.996246.n3.nabble.com/Kerberos-1-7-and-later-does-not-interoperate-with-AD-Read-only-DCs-td23528.html > > > > > > Should I try this fix? > > If you don't see issue with 1.6.3, then that is almost certainly the > change you want, but it may not easily backport to 1.7. 1.10.1 and > later should have the same workaround. > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos