any way to get user's ldap dn (or part of it) as part of the ticket?

[Chris Hecker]

Yeah, I want the UUID on the service that gets tickets from the clients 
(so I can stop using the username as a db key, which was just a terrible 
idea but hey, I was young).

So, to be clear, the client (my game) logs into the KDC, requests a 
ticket to the service (the lobby server), and then logs into the lobby 
server using this ticket.  I'd like the lobby server to be able to get 
the UUID (from the kdb LDAP backend) out of the ticket without talking 
to the KDC/LDAP machine again over the wire.  I don't particularly care 
if the client can decrypt the UUID, but I guess it's slightly better if 
they can't (which it sounds like is the case with authdata, it's 
encrypted with the service key)?.

It looks like the greet client and server stuff are the things to look 
at here?

Chris



On 2016-08-25 23:32, Greg Hudson wrote:
> On 08/26/2016 02:29 AM, Greg Hudson wrote:
>> Microsoft's PAC is visible to the server, not the client.
>
> Oops, I misread your question.  You want this information in the server,
> so yes, you want authdata.  Ignore everything I said about using padata.
>
> We do have an authdata plugin interface, but unfortunately it's
> unfinished and not public.  Still, it's probably better than modifying
> the code.
>
> Authdata is encrypted in the AS-REP, so you don't have to worry about
> protecting the value.  Negative authdata types are reserved for
> unregistered use (RFC 4120 section 5.2.6).
>