Incorrect expiration time for tickets returned from Windows KDCs

Andrew Bartlett abartlet at
Sun Aug 28 20:58:16 EDT 2005

On Sun, 2005-08-28 at 19:53 -0500, Matt Crawford wrote:
> > This sounds like a case of a growing PAC, when the user becomes a  
> > member
> > (directly or indirectly, as it is a flattened list) of another group.
> There used to be a boolean bit of preauth data you could include  
> which meant "don't include the PAC in the ticket."  Did it go away??   
> I ran into it when users changing their non-windows Kerberos password  
> from the Windows secure-channel box would generate an AS_REQ with  
> that padata in it.

I've not finished figuring that area out (just got the PAC generation
working in our KDC), but remember the flag is negative - if you do not
encode it particularly, you will get a PAC, even to an unknowing client.
(Because it is still useful, for example smbclient to a windows file

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list