[32668] in Kerberos
Re: UDP and fragmentation
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Sep 15 12:16:49 2010
From: Greg Hudson <ghudson@mit.edu>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
In-Reply-To: <i6mul5$1bui$1@relay.tomsk.ru>
Date: Wed, 15 Sep 2010 12:16:40 -0400
Message-ID: <1284567400.5992.1666.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2010-09-14 at 00:45 -0400, Victor Sudakov wrote:
> Greg Hudson wrote:
> > > BTW what can make Kerberos packets so big? Microsoft says: "Depending
> > > on a variety of factors including security identifier (SID) history
> > > and group membership, some accounts will have larger Kerberos
> > > authentication packet sizes." What's there inside? Long principal
> > > names? Long keys?
>
> > An Active Directory KDC will include authorization data within a
> > Kerberos ticket which includes the set of groups you are a member of.
> > If that's a lot of groups, then your ticket will be large.
>
> It is very interesting. Where is room in a Kerberos ticket for
> such data?
The KDC-REP contains a Ticket, which contains an EncTicketPart, which
contains AuthorizationData. That's where the PAC is stored, which
contains (among other things) the list of groups.
Your packet traces may not be able to show you the authorization data
since it's within an encrypted blob, and the key for that blob is not
generally known by the client. (The PAC information is for the benefit
of the service, not the client.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
