Kerberos v5 release 1.1, OpenLDAP 1.2.8, and samba 2.1.0 as an NT Domain Controller

Luke Howard lukeh at
Wed Dec 15 00:36:03 GMT 1999

>If so, why the difference in behaviour? If the profile is not in the
>krb5 ticket, why not query a DC for it as is done when using NTLM? Is
>the issue one of mapping krb5 principals to ActiveDirectory objects when
>the KDC is a non-ActiveDirectory KDC?

AFAIK, non-ActiveDirectory KDCs are only supported for authentication,
where the authorization information (the SIDs) comes from the local SAM.
So I don't think this mapping issue is related. (Note the userprincipalname
and serviceprincipalname attributes in ActiveDirectory, and the
command line tools for setting up a mapping between local and KDC
user accounts when ActiveDirectory is not being used.)

I suspect the authorization data field is used because it's there.
The client gets a fully expanded set of SIDs which maps well to NT's
internal concept of an authorization token, rather than having each
client trawl the domain to construct this at logon. Perhaps the fact
that DCE used the PAC for a set of user identifiers influenced this.


-- Luke


luke howard                                                  lukeh at PADL.COM 
PADL software pty ltd                                   http://www.PADL.COM

More information about the samba-ntdom mailing list