[OpenAFS] ADS communications issue?

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 09 Sep 2009 10:55:36 -0400

Douglas E. Engert wrote:
> If its the large ticket problem, there is a way to tell AD that the service
> ticket for AFS does not need a PAC, thus reducing the size from maybe
> 12k to
> less then 500 bytes.
> See: http://support.microsoft.com/kb/305144
> And this which adds the NO_AUTH_DATA_REQUIRED
> http://support.microsoft.com/kb/832572
> Your admin can set NO_AUTH_DATA_REQUIRED on the afs service account in AD.

This only works if the afs service ticket is being served by AD.  It
does not work if cross-realm is being used to access an afs service
ticket from a MIT/Heimdal realm.  There is no method to remove the PAC
from a cross-realm tgt.

Jeffrey Altman