VFS Implementation and user authentication

Nicolas Williams Nicolas.Williams at ubsw.com
Thu Sep 14 02:16:47 GMT 2000

On Thu, Sep 14, 2000 at 11:59:24AM +1000, Luke Kenneth Casson Leighton wrote:
> > > the PAC in the NT5 Krb5 server contains user profile info, which needs to
> > > be conceptually separated from the kerberos ticket itself.
> > 
> > Of course. I used the word profile. In plain Kerberos all there is to
> > the profile is the user principal name, but it (and forwarded TGTs) can
> > be used to obtain other profile information that is relevant to the
> > app.
> [ah, terminology, shmology.]
> relevant to the app?  where does that come in with respect to User
> Credentials?

I meant that only MS' ActiveDirectory puts any profile info in Kerberos
tickets, at this time. Actually, DCE does something like that as well;
you're looking at DCE, so you could tell us the gory details ;) ;)

The rest of world only gets the client's Kerbero principal name and
must go from there, looking up the necessary profile information.

> > > i am not an expert on appropriate terminology, however i know someone who
> > > is :)
> > 
> > :)
> i'll ask him if i can forward the exchanges i had on this topic last week
> to the list.



More information about the samba-technical mailing list