Using Windows AD generated Kerberos tickets without a PAC
Bob.Smart@csiro.au
Bob.Smart at csiro.au
Wed Aug 18 20:18:15 EDT 2004
Pardon my question. I'm sure this is obvious, but I'd like to see it
explicitly stated before I hassle our Domain Controller people to
implement this.
I presume that this only applies when users kinit from a unix
environment. I.e. if you install this patch and configure users with
this option then it will have no affect when they do a domain login and
access windows resources. It will only change the behaviour when they do
a kinit in a unix environment.
I hope. Otherwise its not much use (in which case I'd really like to see
the kinit option added, to not request a PAC. Indeed I think that is a
good idea anyway because I'm quite sure our Domain Controller people
will be hard to convince to apply this patch, and I'm sure I won't be
the only one in that regard.)
The widespread deployment of KDCs under the guise of Active Directory
provides a great opportunity for kerberos. Hopefully we can soon put PAC
problems behind us and realise our SSO dreams.
Bob
More information about the Kerberos
mailing list