[20021] in Kerberos_V5_Development
Re: The PAC must be the first ad-element
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Fri Jan 31 20:06:12 2020
MIME-Version: 1.0
In-Reply-To: <CAC-fF8SKJFAqoQ3JnE1B_zj6wpiGoyJKupyi6NNb-VL=CBk9HA@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 1 Feb 2020 02:05:47 +0100
Message-ID: <CAC-fF8SCnaRDwLa3h1iwZJVKnVrFXGdWHSBDvh0uSxX90t_ooA@mail.gmail.com>
To: krbdev@mit.edu, Alexander Bokovoy <ab@samba.org>,
Andreas Schneider <asn@samba.org>, Greg Hudson <ghudson@mit.edu>,
rharwood@redhat.com, Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Jan 31, 2020 at 1:46 PM Isaac Boukris <iboukris@gmail.com> wrote:
>
> When I recently confirmed that windows hosts have no problem with
> other ad-elements along side the PAC, I was lazy to test change of
> order. Today I tested it and found that Windows servers are not happy
> when the PAC is not the first ad-if-relevant element.
Interestingly, in the trust case if the PAC is the first element the
trusted windows KDC would remove the other element and leave only the
PAC (if the other element was first, then it is not removed but it
breaks service access).
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
