Incorrect expiration time for tickets returned from Windows KDCs

Luke Howard lukeh at
Mon Aug 29 08:20:12 EDT 2005

>> This sounds like a case of a growing PAC, when the user becomes a  
>> member
>> (directly or indirectly, as it is a flattened list) of another group.
>There used to be a boolean bit of preauth data you could include  
>which meant "don't include the PAC in the ticket."  Did it go away??   
>I ran into it when users changing their non-windows Kerberos password  
>from the Windows secure-channel box would generate an AS_REQ with  
>that padata in it.

The flag works for the AS-REQ only, not the TGS-REQ. You have to use
the userAccountControl hotfix to avoid including the PAC in service

-- Luke


More information about the krbdev mailing list