Kerberos Feature Request

Henry B. Hotz hotz at
Tue Feb 10 13:27:05 EST 2004

I probably should send this to the IETF group, but I'm not on their 
mailing lists.  (Apologies if the cross-posting causes problems.)  It 
would be *nice* if all Kerberos distributions added this feature the 
same way.

One of the famous things that Microsoft did in their AD Kerberos 
implementation is added authorization data to the (supposedly 
optional) PAC field that is necessary when using certain other 
Microsoft functionality.  AFAIK all of the information added is also 
contained in the LDAP directory that AD also provides.

I do not think it makes any sense for a (non-Microsoft) Kerberos 
server to directly maintain this data.  Rather it should have a 
mechanism for acquiring the data from an external source, such as an 
LDAP directory.

My request is that the Kerberos community agree on a standard 
external interface to get that data.  If the interface itself were 
standardized then the work of connecting that interface to the 
appropriate AD attributes could be done independently of any Kerberos 
server, and could be updated as Microsoft updates their schema 
independent of Kerberos versions.  It would also make the use of PAC 
data in non-Microsoft environments much easier to consider.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list