Incorrect expiration time for tickets returned from Windows KDCs

[Luke Howard]

>> This sounds like a case of a growing PAC, when the user becomes a  
>> member
>> (directly or indirectly, as it is a flattened list) of another group.
>
>There used to be a boolean bit of preauth data you could include  
>which meant "don't include the PAC in the ticket."  Did it go away??   
>I ran into it when users changing their non-windows Kerberos password  
>from the Windows secure-channel box would generate an AS_REQ with  
>that padata in it.

The flag works for the AS-REQ only, not the TGS-REQ. You have to use
the userAccountControl hotfix to avoid including the PAC in service
tickets.

-- Luke

--