[OpenAFS] Kerberos Ticket Sizes when using AD as the KDC and OpenAFS

Douglas E. Engert deengert@anl.gov
Thu, 26 Jan 2006 14:16:47 -0600

ted creedon wrote:
> What happens to non service tickets?

Not sure what you mean. The user's PAC is added to the initial TGT for the user
then copied to service tickets and cross-realm TGTs and the service ticket for AFS.

The NO_AUTH_REQUIRED bit would only be set on the account for the AFS  server
principal in AD, then when a service ticket is created for AFS the AD KDC will
not copy the user's PAC to the AFS service ticket.

Tickets for other services will still get a PAC.

Since the AFS cache manager has some 12000 byte limits on the size of
the ticket, and it does not use the PAC anyway,  telling the KDC to not send
the PAC to AFS means AFS does not have to deal with user is lots of AD groups.

> tedc
> Douglas E. Engert wrote:
>> From the article:
>> "New resolution for problems that occur when users belong to many groups"
>> http://support.microsoft.com/?kbid=327825
>> It looks like XP and W2003 no longer have a max_token_size limit, and 
>> thus
>> the size of a ticket could now be above 12,000 bytes.
>> So for any sites that use Active Directory as the KDC and OpenAFS,
>> keep this folloeing option in mind for the afs/cell@realm principal
>> "An update is available that introduces the NO_AUTH_REQUIRED flag to
>> the UserAccountControl property in Windows Server 2003 and in Windows 
>> 2000"
>> http://support.microsoft.com/kb/832572
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444