Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id CFBDD59092; Fri, 4 Jan 2013 21:51:47 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r052plO5008637; Fri, 4 Jan 2013 21:51:47 -0500 Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r051AFGU030451 for ; Fri, 4 Jan 2013 20:10:15 -0500 Received: from dmz-mailsec-scanner-3.mit.edu (DMZ-MAILSEC-SCANNER-3.MIT.EDU [18.9.25.14]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id r051AEwn006328 for ; Fri, 4 Jan 2013 20:10:14 -0500 X-Auditid: 1209190e-b7fa16d000001402-88-50e77d761266 Authentication-Results: symauth.service.identifier Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 4B.BB.05122.67D77E05; Fri, 4 Jan 2013 20:10:14 -0500 (EST) Received: by mail-oa0-f51.google.com with SMTP id n12so15688247oag.10 for ; Fri, 04 Jan 2013 17:10:14 -0800 (PST) Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=Z5awCKgzY6oOfTradH7jWkvU1mrbcgm2OLYzsqiD9iE=; b=BcYqeKdZI6qbIr5NQ/ysOfTE4HyW0bLp7Kc3iBrcjg74SYjW2RvdKo1rTTdTFmYKuM j/g6jDzxamZh24I+Es0UDUF2twT477/6ZF5/6ovZJS4zxoF5dvo5YPYqjB3i6QyJjVbc nOKZLUKp4tMf/TDEHgR2T0k4+uz+W4WBj5jG/PsKN9cGHDMDrY4i1lVska33IFQoauXk /41dgYO43uH91nOQs5hxCMH+oA7hbnaCn2eSjOxDFssB1WMx+U9WAMohMkHPqMux49NV 60TVnc9cEdOV5rXIVyvHzdjK8Q+UbgKWJzf5WxBGsnu1Brtgfrppen4tjbRLauxuZAQD F7Ug== Received: by 10.182.124.98 with SMTP id mh2mr40066586obb.88.1357348214298; Fri, 04 Jan 2013 17:10:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.76.34 with HTTP; Fri, 4 Jan 2013 17:09:53 -0800 (PST) From: Ian Crowther Date: Sat, 5 Jan 2013 01:09:53 +0000 Message-ID: Subject: klist/ktutil wrapping kvno field To: krb5-bugs@mit.edu Content-Type: text/plain; charset=UTF-8 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleJIrShJLcpLzFFi42K5GHrbWLes9nmAwZ+FJhYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CVsbXpCmNBu1DFn7cXWRoY5/J3MXJySAiYSMz9sJsVxGYUMJLY fe4VK0RcTOLCvfVsXYxcHEICNxkldh/+yQrh9DJKzH6xHSzDIvCJRWJNx0l2kBYhgSKJGd8/ M4PYvAKCEidnPmGBiHtITJvxiBHEZhPQlDjx8xpYDYuAisSbpptQ9QES559OZQOxhYFqXpy+ CDZTREBU4uXfY0BzODiYBdQl1s8TmsDIPwvJhlkImQWMTKsYZVNyq3RzEzNzilOTdYuTE/Py Uot0jfVyM0v0UlNKNzECQ0yIU5JvB+PXg0qHGAU4GJV4eE9YPw8QYk0sK67MPcQoycGkJMo7 qRIoxJeUn1KZkVicEV9UmpNafIhRgoNZSYSX2Rsox5uSWFmVWpQPk5LmYFES572SctNfSCA9 sSQ1OzW1ILUIJsvEwX6IUYaDQ0mCt7EGqFuwKDU9tSItM6cEWQ0niOACWcMDtGYKSCFvcUFi bnFmOkTRKUZjjoOvbjxl5Hgy785TRiGWvPy8VClxXj+QUgGQ0ozSPLiRsNRxiVFWSpiXkYGB QYgH6CZgUKDKv2IUBwaDMK8myBSezLwSuH2vgE5hAjrl1ZvHIKeUJCKkpBoYwwJYjO69Lk/6 e0vR+Wt+Rkm2yXSjOSedlq9KfVMn0pbT0lSpoXjI9Ja6yJrPgfNOFbyfplQipfonUYXt7uL+ UrU1ppf5w6Rk2NMT9yQbpppPq8/UjFDyKec0K/V7e02L95lQyoREiflfnkUWzMlp5AzbOkd/ /RwP1m+PjetEJuTxC74WK1BiKc5INNRiLipOBADNVkeHGAMAAA== X-Mailman-Approved-At: Fri, 04 Jan 2013 21:51:45 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 2255 When ktadmin is used to put a principal with kvno 320 into a file, klist and kutil both show that the file has a kvno of 64. Kaduk states "It is almost certain that klist is assuming the kvno is an 8-bit field, so 320 wraps around to 64. (In krb4, the kvno field actually was 8 bits.)" which would be consistent with both getprinc and klist's kvno incrementing 'independently' Sample log: kadmin.local: getprinc cfengine-policyhost/admin@EXAMPLE.COM Principal: cfengine-policyhost/admin@EXAMPLE.COM Expiration date: [never] Last password change: Sat Jan 05 00:46:15 GMT 2013 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Sat Jan 05 00:46:15 GMT 2013 (root/admin@EXAMPLE.COM) Last successful authentication: Sat Jan 05 00:16:01 GMT 2013 Last failed authentication: Sat Jan 05 00:14:55 GMT 2013 Failed password attempts: 0 Number of keys: 4 Key: vno 319, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 319, ArcFour with HMAC/md5, no salt Key: vno 319, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 319, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: service kadmin.local: ktadd -k /tmp/newfile cfengine-policyhost/admin Entry for principal cfengine-policyhost/admin with kvno 320, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/tmp/newfile. Entry for principal cfengine-policyhost/admin with kvno 320, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/newfile. Entry for principal cfengine-policyhost/admin with kvno 320, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/newfile. Entry for principal cfengine-policyhost/admin with kvno 320, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/newfile. kadmin.local: 0 root@caffeine:/var/cfengine/inputs[2] klist -k /tmp/newfile Keytab name: WRFILE:/tmp/newfile KVNO Principal ---- -------------------------------------------------------------------------- 64 cfengine-policyhost/admin@EXAMPLE.COM 64 cfengine-policyhost/admin@EXAMPLE.COM 64 cfengine-policyhost/admin@EXAMPLE.COM 64 cfengine-policyhost/admin@EXAMPLE.COM 0 root@caffeine:/var/cfengine/inputs[2]