Incorrect expiration time for tickets returned from Windows KDCs
Douglas E. Engert
deengert at anl.gov
Mon Aug 29 11:00:00 EDT 2005
Matt Crawford wrote:
>> This sounds like a case of a growing PAC, when the user becomes a member
>> (directly or indirectly, as it is a flattened list) of another group.
> There used to be a boolean bit of preauth data you could include which
> meant "don't include the PAC in the ticket." Did it go away?? I ran
> into it when users changing their non-windows Kerberos password from
> the Windows secure-channel box would generate an AS_REQ with that
> padata in it.
I believe it is still there. You have to sent the PA-PAC-REQUEST to the KDC.
But the MIT KDC had problems if this was used. It may be fixed by now.
AD only honored this on the AS_REQ not the TGS_REQ
There is also in AD a way to set NO_AUTH_DATA_REQUIRED "No PAC needed" for
a selected service ticket. http://support.microsoft.com/kb/832572/
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev