Kerberos v5 release 1.1, OpenLDAP 1.2.8, and samba 2.1.0 as an NT Domain Controller

Jeremy Allison jeremy at
Mon Dec 20 20:21:04 GMT 1999

Luke Howard wrote:
> >If so, why the difference in behaviour? If the profile is not in the
> >krb5 ticket, why not query a DC for it as is done when using NTLM? Is
> >the issue one of mapping krb5 principals to ActiveDirectory objects when
> >the KDC is a non-ActiveDirectory KDC?
> AFAIK, non-ActiveDirectory KDCs are only supported for authentication,
> where the authorization information (the SIDs) comes from the local SAM.
> So I don't think this mapping issue is related. (Note the userprincipalname
> and serviceprincipalname attributes in ActiveDirectory, and the
> command line tools for setting up a mapping between local and KDC
> user accounts when ActiveDirectory is not being used.)
> I suspect the authorization data field is used because it's there.
> The client gets a fully expanded set of SIDs which maps well to NT's
> internal concept of an authorization token, rather than having each
> client trawl the domain to construct this at logon. Perhaps the fact
> that DCE used the PAC for a set of user identifiers influenced this.

Yeah, but the PAC service in DCE was a *separate* service
from the KDC. MS have jammed the two together.....


	Jeremy Allison,
	Samba Team.

Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-ntdom mailing list