any way to get user's ldap dn (or part of it) as part of the ticket?

Fri Aug 26 02:32:10 EDT 2016

On 08/26/2016 02:29 AM, Greg Hudson wrote:
> Microsoft's PAC is visible to the server, not the client.

Oops, I misread your question.  You want this information in the server,
so yes, you want authdata.  Ignore everything I said about using padata.

We do have an authdata plugin interface, but unfortunately it's
unfinished and not public.  Still, it's probably better than modifying
the code.

Authdata is encrypted in the AS-REP, so you don't have to worry about
protecting the value.  Negative authdata types are reserved for
unregistered use (RFC 4120 section 5.2.6).