Incorrect expiration time for tickets returned from Windows KDCs
Andrew Bartlett
abartlet at samba.org
Sun Aug 28 20:58:16 EDT 2005
On Sun, 2005-08-28 at 19:53 -0500, Matt Crawford wrote:
> > This sounds like a case of a growing PAC, when the user becomes a
> > member
> > (directly or indirectly, as it is a flattened list) of another group.
>
> There used to be a boolean bit of preauth data you could include
> which meant "don't include the PAC in the ticket." Did it go away??
> I ran into it when users changing their non-windows Kerberos password
> from the Windows secure-channel box would generate an AS_REQ with
> that padata in it.
I've not finished figuring that area out (just got the PAC generation
working in our KDC), but remember the flag is negative - if you do not
encode it particularly, you will get a PAC, even to an unknowing client.
(Because it is still useful, for example smbclient to a windows file
server).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050829/f4bf7ee8/attachment.bin
More information about the krbdev
mailing list