[OpenAFS] Using Windows AD generated Kerberos tickets without a PAC
Jeffrey Altman
jaltman at MIT.EDU
Wed Aug 18 12:02:01 EDT 2004
Douglas E. Engert wrote:
> The long awaited change from Microsoft is finally out. The change to
> AD allows
> a bit to be set in the userAccountControl that says that service
> tickets created
> for this service should not include a PAC. This will make them
> substantially
> smaller, and usable with UDP or other places where size is a problem.
>
> This change was originally requested almost a year ago for use with
> OpenAFS.
> Since then OpenAFS in release 1.3.70 has made change to allow for
> larger tickets.
>
> But there may still be situations where this patch may be usefull,
> such as
> with other UDP based protocols, or with older Kerberos versions that
> do not
> support TCP to the KDC.
>
> "An update is available that introduces the NO_AUTH_REQUIRED flag to
> the UserAccountControl property in Windows 2000"
> http://support.microsoft.com/?kbid=832572
Or with 1.2.8 AFS Servers that can't handle large tickets in tokens.
More information about the Kerberos
mailing list