The PAC must be the first ad-element
iboukris at gmail.com
Fri Jan 31 19:30:39 EST 2020
On Fri, Jan 31, 2020 at 7:25 PM Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2020-01-31 at 13:46 +0100, Isaac Boukris wrote:
> > When I recently confirmed that windows hosts have no problem with
> > other ad-elements along side the PAC, I was lazy to test change of
> > order. Today I tested it and found that Windows servers are not happy
> > when the PAC is not the first ad-if-relevant element.
> Also, the original Samba PAC handling code was the same way, it very
> much assumed that the PAC was the first AD-IF-RELEVANT element.
Looking at the MIT code in handle_authdata(), I wonder if
request-authdata would pose a problem, and if so what can be done
about it, I'll try to test this.
More information about the krbdev