Kerberos Feature Request

Sam Hartman hartmans at MIT.EDU
Tue Feb 10 15:23:17 EST 2004

>>>>> "Henry" == Henry B Hotz <hotz at> writes:

    Henry> I'm not sure if we're on the same wavelength or not.  Let
    Henry> me try again: I think there should be a standard way to
    Henry> fill in PAC data from outside the KDC.  Yes the obvious
    Henry> application is replacing a windows domain controller, but
    Henry> that's not the point because that's not what I'm asking
    Henry> for.  How can anyone make use of the PAC data option to the
    Henry> standard if there's no way to get useful data into the
    Henry> field?
PAC is a windows concept.  The authorization data field is in the
standard and includes the PAC.

    Henry> Are you saying that there is a plugin interface that does
    Henry> this, or just that that's your preferred solution?
    Henry> Is/would that plugin interface be supported by any non-MIT
    Henry> KDCs?

That's my preferred solution.  I would not mind non-MIT KDC vendors
being involved in the design process for such an interface, although
I'm concerned some of the internal datatypes you'd need would be MIT

More information about the krbdev mailing list