The PAC must be the first ad-element

Isaac Boukris iboukris at
Fri Jan 31 19:30:39 EST 2020

On Fri, Jan 31, 2020 at 7:25 PM Andrew Bartlett <abartlet at> wrote:
> On Fri, 2020-01-31 at 13:46 +0100, Isaac Boukris wrote:
> >
> > When I recently confirmed that windows hosts have no problem with
> > other ad-elements along side the PAC, I was  lazy to test change of
> > order. Today I tested it and found that Windows servers are not happy
> > when the PAC is not the first ad-if-relevant element.
> Also, the original Samba PAC handling code was the same way, it very
> much assumed that the PAC was the first AD-IF-RELEVANT element.

Looking at the MIT code in handle_authdata(), I wonder if
request-authdata would pose a problem, and if so what can be done
about it, I'll try to test this.

More information about the krbdev mailing list