|From:||Luke Howard <firstname.lastname@example.org>|
|Subject:||ignore_kvno libdefault option|
|Date:||Tue, 17 Jan 2006 03:17:41 +1100|
Windows 2000 KDCs do not return key version numbers in tickets, whereas
Windows 2003 KDCs do. We have a customer that has deployed a large number
fo the former, with kvno=1 in each keytab; as soon as they upgrade to
Windows 2003 this will break.
The correct fix is obviously to rewrite the keytab with the real kvno,
however this is difficult to do in a distributed environment; the service
may have no way to contact a Windows 2003 KDC (to determine the kvno) until
it's too late, ie. it receives a ticket from a client that authenticated
against a Windows 2003 KDC.
It seems that the only reliable fix that will work in this deployment is
to allow the client library to ignore the ticket version number, even if
one is provided. (Note that in our environment there is only ever one
entry for a given principal/key type in the keytab.)