Return-Path: Received: from mta6.srv.hcvlny.cv.net (mta6.srv.hcvlny.cv.net [167.206.4.212]) by krbdev.mit.edu (Postfix) with ESMTP id 87CB33EC19 for ; Thu, 25 Oct 2012 22:06:23 -0400 (EDT) Received: from isis.internal.bright-prospects.com (ool-4a5a27d7.dyn.optonline.net [74.90.39.215]) by mta6.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-9.20 (built Jul 15 2010)) with ESMTP id <0MCH00CSV9UM4WJ0@mta6.srv.hcvlny.cv.net> for rt-comment@krbdev.mit.edu; Thu, 25 Oct 2012 22:06:23 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by isis.internal.bright-prospects.com (Postfix) with ESMTP id 8C306122BD for ; Thu, 25 Oct 2012 22:06:22 -0400 (EDT) Received: from isis.internal.bright-prospects.com ([127.0.0.1]) by localhost (isis.internal.bright-prospects.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sva81RmZH2Lo for ; Thu, 25 Oct 2012 22:06:20 -0400 (EDT) Received: from BASCHT520 (unknown [192.168.15.196]) by isis.internal.bright-prospects.com (Postfix) with ESMTP id 0784A122BB for ; Thu, 25 Oct 2012 22:06:19 -0400 (EDT) Date: Thu, 25 Oct 2012 22:06:19 -0400 From: Richard Basch Subject: RE: [krbdev.mit.edu #7432] krb5-1.10.3: Updating krbtgt with kvno 0 In-Reply-To: To: rt-comment@krbdev.mit.edu Message-ID: <00ab01cdb31e$7d91cb70$78b56250$@mit.edu> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Content-Type: text/plain; charset=us-ascii Content-Language: en-us Content-Transfer-Encoding: 7BIT Thread-Index: Ac2zChu80r56I7uXSHKM9ylpVEKH9QAE2apQ X-Virus-Scanned: amavisd-new at mail.bright-prospects.com References: RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 2020 Admittedly, all the calls where the KDC was searching for the latest kvno, it was also passing -1 for the other two values. But, by having the function treat 0 as a special case for retrieving the latest kvno, it creates issues if you are trying to do a cpw on a key with -keepold and it was previously kvno=0. In my case, I had a database with krbtgt where kvno=0 because it was created in the early 1990s (back when the db_creation initialized with kvno=0 instead of kvno=1). Trying to update the key while maintaining compatibility with clients was proving problematic. Basically, in this case, all client caches would become "invalid" instantly if I were to update krbtgt, whereas had kvno >= 1, there would have been no issue. Any ideas how we should fix this case? (I hacked the files I stated so I didn't impact all the clients.) You can probably infer the exact situation I am facing, since I was planning to randomize the krbtgt in the upcoming couple weeks for a large Kerberos installation (with hundreds of millions of authentications daily and where I cannot simply invalidate everyone's ticket caches, even during a low-usage period). -----Original Message----- From: Greg Hudson via RT [mailto:rt-comment@krbdev.mit.edu] Sent: Thursday, October 25, 2012 7:35 PM To: basch@alum.mit.edu Subject: [krbdev.mit.edu #7432] krb5-1.10.3: Updating krbtgt with kvno 0 krb5_dbe_def_search_enctype does not currently treat kvno 0 the same way as kvno -1. kvno -1 means "ignore the kvno", while kvno 0 means "search only in the highest kvno". (Confusingly, if you pass kvno, stype, and ktype all as -1, the code optimizes by setting kvno to 0 in order to look only at entries of highest kvno, without a comment explaining what it's doing.) It may be that we don't need both modes of operation. Offhand, I can't imagine a situation where you want to search for a particular enctype and/or salt type across all key versions. But we'd need to analyze all of the call sites to make sure of that.