Make this work with kvno 0 and no kvno

kdc/krb5tgs.c

@@ -1194,9 +1194,7 @@ tgs_parse_request(krb5_context context,
     krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
     ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
 			&krbtgt_kvno, NULL, krbtgt);
-    krbtgt_kvno_try = ap_req.ticket.enc_part.kvno ?
+    krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : (*krbtgt)->entry.kvno;
-	*ap_req.ticket.enc_part.kvno :
-	(*krbtgt)->entry.kvno;
 
     if (ret == HDB_ERR_NOT_FOUND_HERE) {
 	/* XXX Factor out this unparsing of the same princ all over */

tests/kdc/check-kdc.in

@@ -77,7 +77,7 @@ kgetcred="${kgetcred} -c $cache"
 kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}"
 kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
 kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}"
-test_set_kvno0="${test_set_kvno0} -c $cache -n"
+test_set_kvno0="${test_set_kvno0} -c $cache"
 
 rm -f ${keytabfile}
 rm -f current-db*
@@ -272,6 +272,33 @@ echo "Start tracing kdc, then hit return"
 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
+echo "Trying x-realm TGT with no kvno case";
+${kinit} --password-file=${objdir}/foopassword foo@$R ||
+	{ ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting cross realm tickets"; > messages.log
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting service ticket"; > messages.log
+${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Trying x-realm TGT with no kvno case with key rollover";
+${kinit} --password-file=${objdir}/foopassword foo@$R ||
+	{ ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting cross realm tickets"; > messages.log
+${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Rolling over cross realm keys"; > messages.log
+${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
+echo "Getting service ticket"; > messages.log
+echo "Start tracing kdc, then hit return"
+${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
 echo "try all permutations"; > messages.log
 for a in $enctypes; do
 	echo "Getting client initial tickets ($a)"; > messages.log