[cifs-protocol] [MS-KILE] - DER encoding of KVNO

Uri Simchoni uri at samba.org
Thu May 5 21:25:53 UTC 2016


This is in reference to Samba bug
https://bugzilla.samba.org/show_bug.cgi?id=11900. I seek clarification
on encoding of Kerberos tickets.

We've found that when generating a TGS request, the Kerberos library
that's bundled with Samba encodes a KVNO larger than 0x7fffffff using  5
bytes, and this seems to upset Windows domain controllers (2003R2 and
2008R2), which seem to expect a maximum of 4 bytes in the KVNO. We've
demonstrated that encoding the KVNO in 4 bytes fixes the issue.

We easily get to such high KVNO when working against an RODC which is
configured to cache our machine account password. In that case the TGT
we get has a high KVNO because it's made up of two fields. It appears
that we decode and re-encode the TGT (the unencrypted parts) before
sending it in a TGS-REQ.

According to RFC 4120, a KVNO is an unsigned 32-bit integer, and
according to DER, such an integer in the range of 0x80000000-0xFFFFFFFF
has to be encoded using 5 bytes, so it seems Samba's in compliance with
the standard here.

Can you confirm that Windows expects up to 4 bytes in the KVNO? If yes,
can it be said that Windows is too restrictive here?


More information about the cifs-protocol mailing list