----- Original Message -----
> Hi,
> If PAC is not being used using key, how is group membership determined?
By asking IPA master to give list of groups AD user belongs to.
The complexity of this process makes it hard to have full list of groups 
available in advance in all cases.
MS-PAC record in Kerberos ticket has its feature that AD DC will put the 
correct and full list of groups
the user is a member of at the time of issuing TGT, signed by the AD DC's 
signature. This means after validating
the ticket we can trust its content for caching. In case of no PAC data 
available we have to resort to less precise
methods that would give incomplete information for some of situations like 
incomplete GC content for multidomain
AD forests.

> Also: it feels like the Linux client is contacting AD to obtain a Kerberos
> ticket and not the IPA-server. (for AD users). Is that true?
Yes, how would you imagine doing it differently? AD DCs are authoritative for 
their users, not IPA KDC.
This is basic feature of Kerberos protocol.

With IPA 4.2 on systems like RHEL 7.2/CentOS 7.2/Fedora 23 you can configure 
MIT Kerberos to use MS-KKDC proxy provided by IPA.
In such case IPA masters can be used as Kerberos proxy but the actual 
authentication decision is done by AD DCs anyway.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to