Obtaining Kerberos Tickets without the Microsoft PAC

Douglas E. Engert deengert at anl.gov
Fri Aug 22 10:30:10 EDT 2003

Sam Hartman wrote:
> Doug, I presume that if you want Microsoft to do anything with your
> change you're going to submit it to them somehow.

Yes, and I got a positive reply that they will look at it. 

> Also, I tend to believe that even if they add a service principal
> option, they should respect the pa-data type in tgs requests.

That would be a nice extra feature, as it would give the client some
control in special situations if needed.

> I assume that you were not submitting this patch for inclusion in MIT
> Kerberos but were just giving a copy to the developer community.  As
> you know, you would want to open a bug report with the patch if you
> want us to consider it for inclusion.

Correct, this was more for testing they anything else. 

> If you do submit the patch for inclusion, you'd probably want to at
> least make the API for setting the option take a boolean to turn it on
> or off.  Of course you cannot implement it as a boolean because you
> cannot expand the init_creds structure exposed in the ABI.  In
> addition, you would probably need to include a config file option for
> setting the default value.

I added the init_creds and kinit -m option to make it more user friendly.
I just picked -m as it was an available option to kinit.    

Based on what the draft says it does, it was not clear what setting the
boolean to false actually did. It appears that setting it false is the
same as not including the pa-data.  


 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list