Crazy ideas about Kerberos, NTLM and PACs... (was NTLMSSP...)
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Mon Nov 19 13:53:02 GMT 2001
On Mon, Nov 19, 2001 at 06:47:18PM +1100, Andrew Bartlett wrote:
> In the event we get to creating the PAC, I think this should be done via
> a simple call-back, the kerberos server should use a similar protocol to
> obtain a PAC from *any* PAC providing service, not just Samba. The idea
> of a PAC is quite (IMHO) a nice one, its just a pity MS decided not to
> document it.
the PAC concept in krb5 is not new, in fact it was first
implemented by the DCE team, and paul leach described to
me that microsoft followed suit [e.g. using SIDs for user/group
identification where the DCE team used GUIDs instead].
however, the DCE team implemented the PAC concept in such a way
as to not interfere with existing kerberos implementations
and installations.
unlike microsoft.
lkcl
More information about the samba-technical
mailing list