Content-type: text/html; charset=us-ascii Content-transfer-encoding: quoted-printable X-RT-Original-Encoding: iso-8859-1 Content-Length: 3650

I was experimenting with a Kerberos database which was constructed in the early 1990s when the db_creation would create krbtgt with kvno = 0.

 

If you try to update the krbtgt, using “cpw –randkey –keepold krbtgt/XXX”, the old key cannot effectively be used by clients. *_search_enctypes and *_find_enctypes allow kvno to be passed in as a search criteria, but the default routine (in lib/kdb/kdb_default.c) will treat kvno=0 as a flag to return the latest kvno. Ironically, it also treats -1 the same way.

 

This problem with krbtgt key rotation only occurs when you have a krbtgt with kvno=0 (which again can happen if the database was created long ago but the key was never updated).

 

A quick fix is to change the KDC code to pass in kvno=-1 when searching for “latest key” and change the routine such that kvno=0 will return kvno 0 if found or latest key if not found (that way, the API is relatively cleanly preserved).

 

lib/kdb/kdb_default.c

 

Fix calls from:

plugins/kdb/hdb/kdb_windc.c

kdc/kdc_preauth.c

kdc/kdc_preauth_encts.c

kdc/do_as_req.c

kdc/do_tgs_req.c

kdc/kdc_util.c

 

If you agree with the above approach, I will send in a patch… (though it is probably not difficult to re-implement with the above description of the framework).