PAC group membership vs tokenGroupsGlobalAndUniversal assumptions
sapir kvetny
sapirkb123 at gmail.com
Tue Dec 16 00:14:06 UTC 2025
Hi,
While reviewing recent Microsoft documentation, I noticed that references
suggesting an equivalence between the LDAP attribute
tokenGroupsGlobalAndUniversal and the group membership embedded in Kerberos
PACs appear to have been removed or softened.
>From an interoperability with Active Directory perspective, I wanted to ask:
Is it considered safe to assume that the group SIDs included in the PAC
correspond to the same effective group set as tokenGroupsGlobalAndUniversal,
or should these be treated as related but not guaranteed to be identical?
Thanks.
More information about the samba-technical
mailing list