----- Original Message -----
> If PAC is not being used using key, how is group membership determined?
By asking IPA master to give list of groups AD user belongs to.
The complexity of this process makes it hard to have full list of groups
available in advance in all cases.
MS-PAC record in Kerberos ticket has its feature that AD DC will put the
correct and full list of groups
the user is a member of at the time of issuing TGT, signed by the AD DC's
signature. This means after validating
the ticket we can trust its content for caching. In case of no PAC data
available we have to resort to less precise
methods that would give incomplete information for some of situations like
incomplete GC content for multidomain
> Also: it feels like the Linux client is contacting AD to obtain a Kerberos
> ticket and not the IPA-server. (for AD users). Is that true?
Yes, how would you imagine doing it differently? AD DCs are authoritative for
their users, not IPA KDC.
This is basic feature of Kerberos protocol.
With IPA 4.2 on systems like RHEL 7.2/CentOS 7.2/Fedora 23 you can configure
MIT Kerberos to use MS-KKDC proxy provided by IPA.
In such case IPA masters can be used as Kerberos proxy but the actual
authentication decision is done by AD DCs anyway.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project