Obtaining a TGT without unrestricted access to password.
Simo Sorce
simo at redhat.com
Thu Jun 16 11:10:19 EDT 2011
On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:
> AFAICT most Windows sites *don't* set a policy. They just use the
> standard Windows default of 10-hour/10-day tickets — because it
> doesn't
> really make any significant difference to Windows clients, does it?
They don't really need to because they can obtain a new ticket from
scratch every time you unlock the screensaver (to which you give your
password), which is what we do with sssd as well as the password goes
down the pipe through pam.
So the case where a 10h/10d policy is not enough is extremely rare.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list