[cifs-protocol] RE: How to validate the PAC in NETLOGON
Andrew Bartlett
abartlet at samba.org
Wed Aug 27 22:15:46 GMT 2008
On Wed, 2008-08-27 at 12:23 -0700, Richard Guthrie wrote:
> Andrew,
> To verify the KDC signature, the keyed hash MUST be generated over the
> version of the server signature received in the
> KERB_VERIFY_PAC_REQUEST structure [MS-APDS] (section 2.2.2.1) using
> the algorithm specified in the SignatureType field in the
> KERB_VERIFY_PAC_REQUEST structure. The resulting hash is compared with
> the KDC signature value in the Signature value field in the
> KERB_VERIFY_PAC_REQUEST structure; if they match, the signature MUST
> be considered valid.
Thankyou very much. This makes *much* more sense now (the subtle
re-wording made me re-read our PAC implementation, and realise that the
KDC checksum is over the sever checksum, not the whole PAC).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080828/26d415c0/attachment.bin
More information about the cifs-protocol
mailing list