2 files changed, 8 insertions, 1 deletions

diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 0f1b0779b2..33be657ce8 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -143,6 +143,7 @@ krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
 				    krb5_context context,
 				    krb5_keyblock *krbtgt_keyblock,
 				    krb5_keyblock *server_keyblock,
+				    time_t tgs_authtime,
 				    DATA_BLOB *pac);
 
 krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 006b54590f..9617e4fd01 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -385,6 +385,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 				     krb5_context context,
 				     krb5_keyblock *krbtgt_keyblock,
 				     krb5_keyblock *service_keyblock,
+				     time_t tgs_authtime,
 				     DATA_BLOB *pac)
 {
 	NTSTATUS nt_status;
@@ -478,7 +479,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 	LOGON_INFO->info3.base.last_logon	= timeval_to_nttime(&tv);
 
 	LOGON_NAME->account_name	= server_info->account_name;
-	LOGON_NAME->logon_time		= timeval_to_nttime(&tv);
+
+	/*
+	  this logon_time field is absolutely critical. This is what
+	  caused all our pac troubles :-)
+	*/
+	unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
 
 	ret = kerberos_encode_pac(mem_ctx, 
 				  pac_data,