[cifs-protocol] RE: How to validate the PAC in NETLOGON

Wed Aug 27 19:23:11 GMT 2008

Andrew,

Regarding your request for a tool/method to validate a users PAC, I am still researching this issue and will get back to you by Friday with an update.  With respect to the documentation, we will be correcting MS-PAC section 2.8.1 in a future documentation release to read as follows:

Section 2.8.1 Revision

Signatures are generated by the issuing KDC and depend on the cryptographic algorithms available to the KDC. The checksum type MUST be one of the values defined in the table in section 2.8. The key usage value MUST be KERB_NON_KERB_CKSUM_SALT (17). A PAC MUST contain two such signatures: one keyed so that the server can verify it, and the other keyed so that the KDC can verify it.
Prior to the signature being generated by the issuing KDC, the entire PAC must be constructed. The entire message, including the PACTYPE (section 2.3) header and all PAC elements, MUST be constructed into a contiguous buffer. The Signature fields of the PAC_SIGNATURE_DATA structures MUST all be set to zero.

To generate the server signature, the keyed hash function selected, as specified in [RFC4757], MUST be computed over the entire PAC buffer. The key selected for the algorithm MUST be the server's key known to the KDC. The resulting hash value is then placed in the Signature field of the server's PAC_SIGNATURE_DATA structure.
Before verifying the server signature, the Signature field values are removed from the PAC buffer and MUST be replaced with zeros. Then the hash is generated as specified in [RFC4757]. The resulting hash is compared with the locally stored version; if they match, the signature MUST be considered valid.

To generate the KDC signature, the keyed hash function MUST be computed over the signature field value of the server's PAC_SIGNATURE_DATA. The key selected for the algorithm MUST be the key of the KDC (krbtgt) itself [RFC4120]. The resulting hash is placed in the Signature field of the KDC's PAC_SIGNATURE_DATA structure.

To verify the KDC signature, the keyed hash MUST be generated over the version of the server signature received in the KERB_VERIFY_PAC_REQUEST structure [MS-APDS] (section 2.2.2.1) using the algorithm specified in the SignatureType field in the KERB_VERIFY_PAC_REQUEST structure. The resulting hash is compared with the KDC signature value in the Signature value field in the KERB_VERIFY_PAC_REQUEST structure; if they match, the signature MUST be considered valid.

A PAC with an invalid signature MUST be rejected.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, August 27, 2008 12:40 AM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to validate the PAC in NETLOGON

On Fri, 2008-08-08 at 08:29 -0700, Richard Guthrie wrote:
> Andrew,
>
> Thank you for the request.  I will be working with you on this issue.
> I need to review the documentation and will get back to you with a
> response shortly.

What happened here?  I've been attempting to implement this regardless of the unclear docs, but at least a way of getting windows to emit this request would be very useful.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.