Using Windows AD generated Kerberos tickets without a PAC
Luke Howard
lukeh at PADL.COM
Thu Aug 19 10:24:57 EDT 2004
>You would not want to set this to a windows user account, as it might mean
>that the user could not windows without a PAC.
Actually, it probably won't make any difference if you set it on a user
account (although I haven't tried -- be interested to know).
If you set it on a machine trust account for a Windows workstation then,
yes, I would expect that you would not be able to logon.
>There is a way to request a TGT without a PAC today. If the AS-REQ has a
>PA-DATA with the PA-PAC-REQUEST the AD will not add a PAC. The Windows
>runas /netonly command sends this. I have a patch some where to add this
>to the MIT kinit. If you are interested, drop me a note and I will find them.
I think the Heimdal kinit already supports this.
-- Luke
More information about the Kerberos
mailing list