From ee7cfcadc60eac34bf646f765798ca5a01d311ed Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 16 Sep 2011 11:15:27 +1000 Subject: s4-kdc: default kvno for inter-domain trusts to zero the exact value doesn't matter, as both Samba and windows check against the latest password, but the old default of -1 caused ASN.1 parsing errors on windows, which prevented it answering TGS requests thanks to Hongwei Sun for finding this from a ttt trace Pair-Programmed-With: Andrew Bartlett --- source4/kdc/db-glue.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source4/kdc') diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index cdc318a4a8..52bacd0f9d 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -896,7 +896,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, goto out; } - entry_ex->entry.kvno = -1; + entry_ex->entry.kvno = 0; + /* + we usually don't have a TRUST_AUTH_TYPE_VERSION field, as + windows doesn't create one, so we rely on the fact that both + windows and Samba don't actually check the kvno and instead + just check against the latest password blob. If we do have a + TRUST_AUTH_TYPE_VERSION field then we do use it, otherwise + we just use 0. + */ for (i=0; i < password_blob.count; i++) { if (password_blob.current.array[i].AuthType == TRUST_AUTH_TYPE_VERSION) { entry_ex->entry.kvno = password_blob.current.array[i].AuthInfo.version.version; -- cgit