https://k5wiki.test.kerberos.org/wiki?action=history&feed=atom&title=Samba4%3A_Optional_PACs_for_Unix_clientsSamba4: Optional PACs for Unix clients - Revision history2026-05-14T19:00:02ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.test.kerberos.org/wiki?title=Samba4:_Optional_PACs_for_Unix_clients&diff=2284&oldid=prevDon: New page: I've been asking consultant-friends about field deployments of AD, & how corporations use it. Their answers turn out to explain why AD admins & Unix-krb admins differ on whether PACs work...2009-08-31T17:39:06Z<p>New page: I've been asking consultant-friends about field deployments of AD, & how corporations use it. Their answers turn out to explain why AD admins & Unix-krb admins differ on whether PACs work...</p>
<p><b>New page</b></p><div>I've been asking consultant-friends about field deployments of<br />
AD, & how corporations use it. Their answers turn out to explain<br />
why AD admins & Unix-krb admins differ on whether PACs work.<br />
<br />
Summary: PACs don't work well in "one big realm" krb-deployments,<br />
which are the norm for Unix. (end summary)<br />
<br />
Unix-krb sites traditionally set up one big krb-realm, and they<br />
minimize use of inter-realm krb (in part because inter-realm<br />
referrals aren't yet well-specified, and unlike MS, Unix<br />
krb-admins care about standards-compliance.).<br />
One big realm implies one big set of group-names, so some users<br />
end up with oversized PACs. That leads to breakage, so some<br />
Unix-krb admins dislike PACs.<br />
<br />
On the Windows side, there are two patterns of AD deployment:<br />
Small-to-midsize companies tend to have many small AD domains<br />
(one per LAN, or one per dept, something like that). The group<br />
name-space has two segments: <br />
# a global set of group-names, which gets synchronized across all of the domain-servers; and<br />
# each small domain has some local group names that mean nothing to other groups, and which other groups don't know about.<br />
In this "many-small-domains" setup, each small domain has a<br />
small-enough set of group-names, so PACs don't get too big,<br />
even for users who are members of all the groups that their<br />
domain knows about. Running many small domains works for AD<br />
customers, because AD's inter-realm stuff is pretty easy to<br />
manage (albeit non-standard, & insecure in spots). <br />
<br />
The second style of AD deployment is the Fortune-500 way: <br />
One big company-wide domain, with many cloned satellite servers<br />
to meet scaling needs. In these deployments, the list of group<br />
names is large & universally visible, and PACs do get very big.<br />
So big, in fact, that accessing a Windows app-server can take <br />
one full minute of latency, while the app-server chews over the <br />
ticket's big PAC and the server's big set of ACL-rules.<br />
In these sites, people just accept that using networked services<br />
tends to run slow, and that sometimes AD has weird failures.<br />
Unix sites have seen before that PACs work poorly in this<br />
"one big realm" style of deployment. Since "one big realm" is<br />
the norm in kerberized Unix sites, the Unix-krb community isn't<br />
interested in having the MIT-krb distro _rely_ on PACs for authz. <br />
----</div>Don