Vishal found issue #7092 (worked around in 1.10.1) which may provide
some clues:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7092
http://mailman.mit.edu/pipermail/krbdev/2012-February/010699.html
and also provided a little more information. Apparently the incoming
kvno (I assume
On Fri, 2015-05-29 at 11:45 -0400, Benjamin Kaduk wrote:
I don't have a definite answer for you, but:
1.7 is very old.
4294967295 is 0x is -1 as a 32-bit twos-complement integer
For what it's worth, we just had a customer report this problem ---
after a Heimdal update. (I didn't
One importnat point I missed that we see this issue only when we create new
trust between domain and join linux box to domain, only in that case kvno
comes in TSG-RESP , when trust is already present kvno does not come in
TGS-RESP. I am not sure under what cases kvno should come.
On Fri, May 29,
Hi Greg,
Thanks for reply. Let me explain this issue in detail:
1. Windows version is 2008r2 as domain controller.
2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent for
krbtgt for trusted domain from linux box.
3. Now when we send this ticket in TGS-REQ to tursted domain for
On 05/29/2015 02:16 PM, vishal wrote:
1. Windows version is 2008r2 as domain controller.
2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
for krbtgt for trusted domain from linux box.
I believe you are actually getting the ticket with kvno -1, not with
kvno 255. When
It should be -1, wirehark shows as ff.
What do you mean by not easily portable?
I would do just do:
+ FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
Would it have any side effect?
On Fri, May 29, 2015 at 11:21 AM, Greg Hudson ghud...@mit.edu wrote:
On 05/29/2015 02:16 PM, vishal wrote:
1.
In regard to: Multi-tenancy in MIT KDC, Firouzeh Jalilian said (at 10:24pm...:
I would like to know if there is any support currently for multi-tenancy
in MIT KDC?
What do you mean by multi-tenancy? Do you mean one krb5kdc process
serving multiple distinct realms? If so, then yes, that's
What is the definition of realm in MIT KDC? Is it just different domains?
By definition of tenant I am referring to a categorization above the
domains. For example a tenant could have multiple domains, and when a a user
logs in there has to be an indicator of the tenant it belongs to besides
It should be safe, yes.
On 05/29/2015 05:27 PM, vishal wrote:
So this fix works fine. I tried it ..it sends ff to trusted domain.
is it safe to do this fix? can you please reply.
On Fri, May 29, 2015 at 11:31 AM, vishal vicky.r...@gmail.com
mailto:vicky.r...@gmail.com wrote:
It
thanks.
can someone please reply to this as well just for my understaning:
why do i see kvno in ticket only when i create new trust and join
domain..after 1-2 hour of trust creation I do not see kvno in ticket.
On Fri, May 29, 2015 at 2:52 PM, Greg Hudson ghud...@mit.edu wrote:
It should be
?Hi,
I would like to know if there is any support currently for multi-tenancy in MIT
KDC?
Thanks
Firouzeh
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Fri, 29 May 2015, vishal wrote:
can someone please reply to this as well just for my understaning:
why do i see kvno in ticket only when i create new trust and join
domain..after 1-2 hour of trust creation I do not see kvno in ticket.
I don't think there's sufficient detail there for me
My question is that why kvno is not always present in ticket and this
ticket is basically which comes in TGS-RESP(from home domain) and sname is
krbtgt for trusted domain in TGS-REQ.
I see kvno only when new trust is created between domain and we join to
domain. So under what situation kvno would
So this fix works fine. I tried it ..it sends ff to trusted domain.
is it safe to do this fix? can you please reply.
On Fri, May 29, 2015 at 11:31 AM, vishal vicky.r...@gmail.com wrote:
It should be -1, wirehark shows as ff.
What do you mean by not easily portable?
I would do just do:
+
14 matches
Mail list logo
