Kerberos Feature Request

Henry B. Hotz hotz at
Tue Feb 10 15:18:32 EST 2004

I'm not sure if we're on the same wavelength or not.  Let me try again:

I think there should be a standard way to fill in PAC data from 
outside the KDC.  Yes the obvious application is replacing a windows 
domain controller, but that's not the point because that's not what 
I'm asking for.  How can anyone make use of the PAC data option to 
the standard if there's no way to get useful data into the field?

Are you saying that there is a plugin interface that does this, or 
just that that's your preferred solution?  Is/would that plugin 
interface be supported by any non-MIT KDCs?

At 2:14 PM -0500 2/10/04, Sam Hartman wrote:
>[cc list trimmed]
>>>>>>  "Henry" == Henry B Hotz <hotz at> writes:
>     Henry> I probably should send this to the IETF group, but I'm not
>     Henry> on their mailing lists.  (Apologies if the cross-posting
>     Henry> causes problems.)  It would be *nice* if all Kerberos
>     Henry> distributions added this feature the same way.
>     Henry> One of the famous things that Microsoft did in their AD
>     Henry> Kerberos implementation is added authorization data to the
>     Henry> (supposedly optional) PAC field that is necessary when
>     Henry> using certain other Microsoft functionality.  AFAIK all of
>     Henry> the information added is also contained in the LDAP
>     Henry> directory that AD also provides.
>     Henry> I do not think it makes any sense for a (non-Microsoft)
>     Henry> Kerberos server to directly maintain this data.  Rather it
>     Henry> should have a mechanism for acquiring the data from an
>     Henry> external source, such as an LDAP directory.
>I agree with you so far.  I disagree however that we should focus on
>providing the same data as the AD interface.
>Replacing a windows domain controller with a Kerberos server is a fine
>goal.  Kerberos vendors should support it with plugins.
>But Microsoft seems to have solved the problem well for Windows
>machines.  Many aspects of the solution do not seem to be appropriate
>for other environments.
>As such, I'd rather see the Kerberos community work on its own more
>general solution and let folks like Samba etc work on replacing
>Windows DCs. 
>I don't think you will see standardization of the interfaces for
>getting this information.  I understand it would be nice for you.  I
>just don't know that there will be resources available for that
>standardization work.  It's certainly outside the scope of the IETF.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list