Using Windows AD generated Kerberos tickets without a PAC
Luke Howard
lukeh at PADL.COM
Wed Aug 18 21:40:10 EDT 2004
>I presume that this only applies when users kinit from a unix
>environment. I.e. if you install this patch and configure users with
>this option then it will have no affect when they do a domain login and
>access windows resources. It will only change the behaviour when they do
>a kinit in a unix environment.
You don't configure ordinary users with this option; rather, you configure
service accounts (e.g. machines).
>I hope. Otherwise its not much use (in which case I'd really like to see
>the kinit option added, to not request a PAC. Indeed I think that is a
>good idea anyway because I'm quite sure our Domain Controller people
>will be hard to convince to apply this patch, and I'm sure I won't be
>the only one in that regard.)
Certainly, you can modify kinit to send pre-authentication data to the
domain controller asking it not to include a PAC. But this doesn't help
you if you have logged onto a Windows client and wish to access a UNIX
service that cannot deal with the increased ticket size.
cheers,
-- Luke
More information about the Kerberos
mailing list