Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)

Luke Kenneth Casson Leighton lkcl at
Mon Nov 19 13:53:02 GMT 2001

On Mon, Nov 19, 2001 at 06:47:18PM +1100, Andrew Bartlett wrote:

> In the event we get to creating the PAC, I think this should be done via
> a simple call-back, the kerberos server should use a similar protocol to
> obtain a PAC from *any* PAC providing service, not just Samba.  The idea
> of a PAC is quite (IMHO) a nice one, its just a pity MS decided not to
> document it.

the PAC concept in krb5 is not new, in fact it was first
implemented by the DCE team, and paul leach described to
me that microsoft followed suit [e.g. using SIDs for user/group
identification where the DCE team used GUIDs instead].

however, the DCE team implemented the PAC concept in such a way
as to not interfere with existing kerberos implementations
and installations.

unlike microsoft.


More information about the samba-technical mailing list