Incorrect expiration time for tickets returned from Windows KDCs

Andrew Bartlett abartlet at
Sun Aug 28 18:20:07 EDT 2005

On Thu, 2005-08-25 at 14:46 -0600, Wachdorf, Daniel R wrote:
> I don't know specifically about the expiration time issue, but I do know
> you need to be really careful because Microsoft KDCS will throw error
> code 52 - which means you PAC is too big and the KDC wants you to use
> TCP.  I don't know what causes this but we have had applications
> compiled with older libs work fine until one day the KDC decides to
> throw error code 52.  I don't know what changed but it no longer will do
> UDP for that user.  

This sounds like a case of a growing PAC, when the user becomes a member
(directly or indirectly, as it is a flattened list) of another group.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list