Just for the record, a Windows 2000 client will send some preauth data requesting that the PAC be included (this is described in John Brezak's IETF draft specifying the PAC format). That may be what was being referred to in previous mails. The default is to include the PAC, but it might be sensible for a UNIX-based KDC to make the default to not include the PAC.
Adding support to a KDC for the PAC is not that difficult if you have a sensible architecture (for example, an integrated directory backend for the KDC). The difficulty lies in some of the other, unpublished, protocols which are necessary to domain logon. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos