Ticket History #3349: Allow keytab entries to ignore the key version

Windows 2000 KDCs do not return key version numbers in tickets, whereas
Windows 2003 KDCs do. We have a customer that has deployed a large number
fo the former, with kvno=1 in each keytab; as soon as they upgrade to
Windows 2003 this will break.

The correct fix is obviously to rewrite the keytab with the real kvno,
however this is difficult to do in a distributed environment; the service
may have no way to contact a Windows 2003 KDC (to determine the kvno) until
it's too late, ie. it receives a ticket from a client that authenticated
against a Windows 2003 KDC.

It seems that the only reliable fix that will work in this deployment is
to allow the client library to ignore the ticket version number, even if
one is provided. (Note that in our environment there is only ever one
entry for a given principal/key type in the keytab.)

Patch at:

http://www.padl.com/~lukeh/kt_file.c.diff

-- Luke

--

Allow unspecified kvno in keytab entries

In ktutil, make "-k 0" work when creating a keytab entry. In the
keytab implementations, treat entries with unspecified kvnos as
low-priority matches.

[ghudson@mit.edu: adjusted to current file keytab code; added logic
for other keytab types; wrote commit message]

https://github.com/krb5/krb5/commit/91afad7fc60fe6ce86f8d4a8ef4ce53c7cada31a
Author: Luke Howard <lukeh@padl.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 91afad7fc60fe6ce86f8d4a8ef4ce53c7cada31a
Branch: master
src/kadmin/ktutil/ktutil.c | 6 ++++--
src/lib/krb5/keytab/kt_file.c | 2 +-
src/lib/krb5/keytab/kt_memory.c | 2 +-
src/lib/krb5/keytab/kt_srvtab.c | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)