Incorrect expiration time for tickets returned from Windows KDCs

Douglas E. Engert deengert at
Mon Aug 29 11:00:00 EDT 2005

Matt Crawford wrote:

>> This sounds like a case of a growing PAC, when the user becomes a  member
>> (directly or indirectly, as it is a flattened list) of another group.
> There used to be a boolean bit of preauth data you could include  which 
> meant "don't include the PAC in the ticket."  Did it go away??   I ran 
> into it when users changing their non-windows Kerberos password  from 
> the Windows secure-channel box would generate an AS_REQ with  that 
> padata in it.

I believe it is still there. You have to sent the PA-PAC-REQUEST to the KDC.
But the MIT KDC had problems if this was used. It may be fixed by now.
AD only honored this on the AS_REQ not the TGS_REQ

There is also in AD a way to set NO_AUTH_DATA_REQUIRED "No PAC needed" for
a selected service ticket.

> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list