PAC group membership vs tokenGroupsGlobalAndUniversal assumptions
Stefan Metzmacher
metze at samba.org
Tue Dec 16 09:13:41 UTC 2025
Hi sapir,
> While reviewing recent Microsoft documentation, I noticed that references
> suggesting an equivalence between the LDAP attribute
> tokenGroupsGlobalAndUniversal and the group membership embedded in Kerberos
> PACs appear to have been removed or softened.
>
> From an interoperability with Active Directory perspective, I wanted to ask:
> Is it considered safe to assume that the group SIDs included in the PAC
> correspond to the same effective group set as tokenGroupsGlobalAndUniversal,
> or should these be treated as related but not guaranteed to be identical?
I'd say they are related but not guaranteed to be identical.
The PAC was the SIDS out of the perspective of the receiving
service, so resource groups are added and the result is
also correct when the user and service belong to a different
domain or more complex a different forest.
I think tokenGroupsGlobalAndUniversal is more or less
the same in the PAC of the initial TGT the KDC of the
user generates, but that PAC is only visible to
the KDCs of the users domain.
Various trust boundaries add or filter SIDs on the way
to the final service ticket and then the accepting
service also evaluates local group memberships.
I hope that helps...
metze
More information about the samba-technical
mailing list