Actually Microsoft is working on a patch to AD that will allow the AD admin to set a "no PAC" in tickets for selected services. (KX509 and AFS for example.) I expect to see them release this any day as a hotfix. Once this is installed on the AD, clients would not need to use the NOPAC ticket mod as tickets issued for the Kx509 KCA or AFS would not have a PAC.
We too are interested in KX509, and added mods (sent to Bill) to allow for a 4K UDP packet as a stop gap measure. It gets fragmented but works. So the mod to the kinit krb5-1.3.1 may not be needed. But it did point out a problem in the way the pre-auth for the KERB-PA-PAC-REQUEST was being handled in the KDC. [EMAIL PROTECTED] wrote: > > Douglas E. Engert's patch installs fairly easily on 1.3.1. > http://mailman.mit.edu/pipermail/krbdev/2003-August/001917.html. > It makes it practicable to use an AD KDC with older UDP-only > Kerberos apps. So please include it or equivalent. KX509 is > the application of interest to me, as per this example: > > $ kinit > Password for [EMAIL PROTECTED]: > $ kx509 > Weird! KX509 transmit packet is too large! > $ kdestroy > $ /opt/krb5/bin/kinit -m > Password for [EMAIL PROTECTED]: > $ kx509 > Timed out waiting for response from a Kerberized Certificate Authority > > As you can see there is no KCA running during this series. > Without -m it doesn't get as far as trying to contact kca. > > Bob > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
