linux – 从Active Directory中检索当前的Kerberos KVNO

密钥版本号在MS-KILE第3.1.5.8节中描述.

顺便说一句,Mathias R. Jessen是正确的,因为Windows通常会忽略KVNO.但它们仍然以RFC投诉方式实施.

http://blogs.msdn.com/b/openspecification/archive/2009/11/13/to-kvno-or-not-to-kvno-what-is-the-version.aspx

No,Windows does not pay attention to KVNO. It simply ignores it.

但是KVNO在RODC环境中确实有一些意义：

http://blogs.msdn.com/b/openspecification/archive/2011/05/11/notes-on-kerberos-kvno-in-windows-rodc-environment.aspx

这里有更多信息：http://support.microsoft.com/kb/2716037

In an environment with one or more RODCs authentication may fail when
interacting with certain MIT based Kerberos devices in one of the
following scenarios.

· The client is an MIT device which received a TGT from
Windows KDC on RODC

· The client passes a TGT generated by Windows KDC on RODC to
MIT Device which in turn uses the TGT to request a TGS on behalf of
the calling user.

In both scenarios the TGT will have been issued by an RODC where the
msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.