Incorrect expiration time for tickets returned from Windows KDCs

[Matt Crawford]

> This sounds like a case of a growing PAC, when the user becomes a  
> member
> (directly or indirectly, as it is a flattened list) of another group.

There used to be a boolean bit of preauth data you could include  
which meant "don't include the PAC in the ticket."  Did it go away??   
I ran into it when users changing their non-windows Kerberos password  
from the Windows secure-channel box would generate an AS_REQ with  
that padata in it.