Incorrect expiration time for tickets returned from Windows KDCs
crawdad at fnal.gov
Sun Aug 28 20:53:40 EDT 2005
> This sounds like a case of a growing PAC, when the user becomes a
> (directly or indirectly, as it is a flattened list) of another group.
There used to be a boolean bit of preauth data you could include
which meant "don't include the PAC in the ticket." Did it go away??
I ran into it when users changing their non-windows Kerberos password
from the Windows secure-channel box would generate an AS_REQ with
that padata in it.
More information about the krbdev