[OpenAFS] Using Windows AD generated Kerberos tickets without a PAC

Jeffrey Altman jaltman at MIT.EDU
Wed Aug 18 12:02:01 EDT 2004


Douglas E. Engert wrote:

> The long awaited change from Microsoft is finally out. The change to 
> AD allows
> a bit to be set in the userAccountControl that says that service 
> tickets created
> for this service should not include a PAC. This will make them 
> substantially
> smaller, and usable with UDP or other places where size is a problem.
>
> This change was originally requested almost a year ago for use with 
> OpenAFS.
> Since then OpenAFS in release 1.3.70 has made change to allow for 
> larger tickets.
>
> But there may still be situations where this patch may be usefull, 
> such as
> with other UDP based protocols, or with older Kerberos versions that 
> do not
> support TCP to the KDC.
>
>   "An update is available that introduces the NO_AUTH_REQUIRED flag to
>    the UserAccountControl property in Windows 2000"
>    http://support.microsoft.com/?kbid=832572

Or with 1.2.8 AFS Servers that can't handle large tickets in tokens.




More information about the Kerberos mailing list