Why NOMSPAC is a valuable temporary inclusion in kerberos

[Douglas E. Engert]

Actually Microsoft is working on a patch to AD that will allow
the AD admin to set a "no PAC" in tickets for selected services. 
(KX509 and AFS for example.) I expect to see them release this 
any day as a hotfix. Once this is installed on the AD, clients would
not need to use the NOPAC ticket mod as tickets issued for the Kx509
KCA or AFS would not have a PAC.

We too are interested in KX509, and added mods (sent to Bill) 
to allow for a 4K UDP packet as a stop gap measure. It gets fragmented
but works.  

So the mod to the kinit krb5-1.3.1 may not be needed. But it did point
out a problem in the way the pre-auth for the KERB-PA-PAC-REQUEST
was being handled in the KDC. 



.Smart at csiro.au wrote:
> 
> Douglas E. Engert's patch installs fairly easily on 1.3.1.
> http://mailman.mit.edu/pipermail/krbdev/2003-August/001917.html.
> It makes it practicable to use an AD KDC with older UDP-only
> Kerberos apps. So please include it or equivalent. KX509 is
> the application of interest to me, as per this example:
> 
>   $ kinit
>   Password for sma045 at NEXUS.CSIRO.AU:
>   $ kx509
>   Weird!  KX509 transmit packet is too large!
>   $ kdestroy
>   $ /opt/krb5/bin/kinit -m
>   Password for sma045 at NEXUS.CSIRO.AU:
>   $ kx509
>   Timed out waiting for response from a Kerberized Certificate Authority
> 
> As you can see there is no KCA running during this series.
> Without -m it doesn't get as far as trying to contact kca.
> 
> Bob
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444