[cifs-protocol] RE: How to validate the PAC in NETLOGON

Richard Guthrie rguthrie at microsoft.com
Fri Aug 8 15:29:15 GMT 2008


Thank you for the request.  I will be working with you on this issue.  I need to review the documentation and will get back to you with a response shortly.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, August 08, 2008 3:07 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: How to validate the PAC in NETLOGON

In MS-APDS is claims that the client will send to the server the PAC signatures (but not apparently the whole PAC), and that the NETLOGON server (on the DC) must verify them.

How is it meant to verify the signatures, if it does not have the PAC to verify checksum over?

Also, is there a command I can run on windows to cause this NETLOGON pac validation to happen?  (The document could do with a worked example here, and in the PAC document).


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list