----- Original Message ----- > Hi, > > If PAC is not being used using key, how is group membership determined? By asking IPA master to give list of groups AD user belongs to. The complexity of this process makes it hard to have full list of groups available in advance in all cases. MS-PAC record in Kerberos ticket has its feature that AD DC will put the correct and full list of groups the user is a member of at the time of issuing TGT, signed by the AD DC's signature. This means after validating the ticket we can trust its content for caching. In case of no PAC data available we have to resort to less precise methods that would give incomplete information for some of situations like incomplete GC content for multidomain AD forests.
> Also: it feels like the Linux client is contacting AD to obtain a Kerberos > ticket and not the IPA-server. (for AD users). Is that true? Yes, how would you imagine doing it differently? AD DCs are authoritative for their users, not IPA KDC. This is basic feature of Kerberos protocol. With IPA 4.2 on systems like RHEL 7.2/CentOS 7.2/Fedora 23 you can configure MIT Kerberos to use MS-KKDC proxy provided by IPA. In such case IPA masters can be used as Kerberos proxy but the actual authentication decision is done by AD DCs anyway. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
