Are Domain Local Groups in the PAC?

ronnie sahlberg ronniesahlberg at
Tue Nov 27 08:22:04 GMT 2007

Are there any differences in how the request pdu is constructed,
extra flags in KDCOptions or similar or extra flags
in the preauthentication header ?
when it requests a http service ticket compared to a cifs ticket?

If you decrypt the tickets with wireshark, make sure to check all the
bytes in the hexdump in there in case it "skips" something unknown.

So, when you add two DLGs then it changes by 80 bytes in size?

In an all w2k environment I recall that the client will request a http
ticket by specifying that it wants constrained-delegation.
Maybe this affects what gets stored inside the pac?

On Nov 27, 2007 7:10 PM, Michael B Allen <ioplex at> wrote:
> On 11/26/07, Michael B Allen <ioplex at> wrote:
> > Hi,
> >
> > I'm doing some network analysis of Windows 2003 Server and I've
> > noticed that Domain Local Groups are not in the PAC. Is that right?
> > All the docs seem to indicate that DLGs should be in the PAC but I've
> > captured some TGS-REPs for HTTP session tickets and they're not.
> The size of the TGS-REP for a cifs ticket changes by 40 bytes when a
> Domain Local group is added or removed. For an HTTP ticket it does not
> change. So it seems that DLGs are not included in HTTP session tickets
> but they are in cifs tickets.
> Mike

More information about the samba-technical mailing list