[OpenAFS] Re: AFS and Windows PAC data still and issue?

John W. Sopko Jr. sopko@cs.unc.edu
Fri, 27 Jul 2007 13:40:25 -0400

Douglas E. Engert wrote:
> John W. Sopko Jr. wrote:
>> I have been testing AFS using Windows 2003 SP2 as the KDC.
>> Things seem to be working fine with OpenAFS 1.4.4 linux
>> clients using kinit/aklog and Red Hat pam_krb5afs module.
>> Also things seem to work fine with the Windows 1.5.21 afs
>> client and kfw 3.2 on Windows XP clients.
>> Is the PAC data still an issue with the latest OpenAFS release?
>> Is the issue the PAC data that is put in the afs/cell.name
>> service principal breaks older clients? Thanks for any input.
> Could still be an issue with older clients, that had a limit around 1k?
> OpenAFS added code to allow 12K, but I also saw a Microsoft article
> that raised their limit to 14K!
> But since AFS does not need the PAC you could tell AD 2003 to not send it.
> The original patch was:
>     http://support.microsoft.com/kb/832572
> It adds another bit to the userAccountControl
> http://support.microsoft.com/kb/305144
> You can get your AD admin to set this bit in the afs service account.

The afs/cell.name service principal only belongs to the standard
"domain users" group, (I think this is standard), and I do not believe
the afs service principal will need to be in any other groups. Thus
the PAC data for the service principal should not be growing. And as
long as it is less then 12k this should not cause a problem,
sound correct? Thanks.


John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175