ted creedon wrote:
What happens to non service tickets?
Not sure what you mean. The user's PAC is added to the initial TGT for the user
then copied to service tickets and cross-realm TGTs and the service ticket for
AFS.
The NO_AUTH_REQUIRED bit would only be set on the account for the AFS server
principal in AD, then when a service ticket is created for AFS the AD KDC will
not copy the user's PAC to the AFS service ticket.
Tickets for other services will still get a PAC.
Since the AFS cache manager has some 12000 byte limits on the size of
the ticket, and it does not use the PAC anyway, telling the KDC to not send
the PAC to AFS means AFS does not have to deal with user is lots of AD groups.
tedc
Douglas E. Engert wrote:
From the article:
"New resolution for problems that occur when users belong to many groups"
http://support.microsoft.com/?kbid=327825
It looks like XP and W2003 no longer have a max_token_size limit, and
thus
the size of a ticket could now be above 12,000 bytes.
So for any sites that use Active Directory as the KDC and OpenAFS,
keep this folloeing option in mind for the afs/[EMAIL PROTECTED] principal
"An update is available that introduces the NO_AUTH_REQUIRED flag to
the UserAccountControl property in Windows Server 2003 and in Windows
2000"
http://support.microsoft.com/kb/832572
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
