Using Windows AD generated Kerberos tickets without a PAC

Douglas E. Engert deengert at anl.gov
Thu Aug 19 08:35:41 EDT 2004 


Bob.Smart at csiro.au wrote:
> Pardon my question. I'm sure this is obvious, but I'd like to see it
> explicitly stated before I hassle our Domain Controller people to
> implement this.
> 

Glad you asked.

> I presume that this only applies when users kinit from a unix
> environment. I.e. if you install this patch and configure users with
> this option then it will have no affect when they do a domain login and
> access windows resources. It will only change the behaviour when they do
> a kinit in a unix environment.


NO. This is an option for a server not a user. It tells the AD to not add the
PAC to the server ticket being created. You would set this bit for the
server account. Then even if the user's TGT had a PAC, the AD would not copy
it to the server ticket.  The idea is the ticket will be smaller, and since
the service is NEVER going to use the PAC, don't send it. This is very helpful
if the ticket needs to be sent via UDP from a client to a server, where the
protocol is expecting a small ticket.  AFS and KX509 are good examples.

This might also work on a cross realm TGT service, if you have AD and MIT doing
cross realm where user's are in AD and servers are in MIT based realm.
i.e. the krbtgt/mit.realm at ad.realm would not have a PAC, so the MIT KDC would
never see the PAC.

You would not want to set this to a windows user account, as it might mean
that the user could not windows without a PAC.

> 
> I hope. Otherwise its not much use (in which case I'd really like to see
> the kinit option added, to not request a PAC. 

There is a way to request a TGT without a PAC today. If the AS-REQ has a
PA-DATA with the PA-PAC-REQUEST the AD will not add a PAC. The Windows
runas /netonly command sends this. I have a patch some where to add this
to the MIT kinit. If you are interested, drop me a note and I will find them.

> Indeed I think that is a
> good idea anyway because I'm quite sure our Domain Controller people
> will be hard to convince to apply this patch, and I'm sure I won't be
> the only one in that regard.)

The patch can be applied. It is only activated for an account when the
NO_AUTH_DATA_REQUIRED flag is set.

> 
> The widespread deployment of KDCs under the guise of Active Directory
> provides a great opportunity for kerberos. Hopefully we can soon put PAC
> problems behind us and realise our SSO dreams.
> 
> Bob
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list