[cifs-protocol] RE: How to validate the PAC in NETLOGON

Andrew Bartlett abartlet at samba.org
Wed Aug 27 22:15:46 GMT 2008

On Wed, 2008-08-27 at 12:23 -0700, Richard Guthrie wrote:
> Andrew,

> To verify the KDC signature, the keyed hash MUST be generated over the
> version of the server signature received in the
> KERB_VERIFY_PAC_REQUEST structure [MS-APDS] (section using
> the algorithm specified in the SignatureType field in the
> KERB_VERIFY_PAC_REQUEST structure. The resulting hash is compared with
> the KDC signature value in the Signature value field in the
> KERB_VERIFY_PAC_REQUEST structure; if they match, the signature MUST
> be considered valid.

Thankyou very much.  This makes *much* more sense now (the subtle
re-wording made me re-read our PAC implementation, and realise that the
KDC checksum is over the sever checksum, not the whole PAC).   

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080828/26d415c0/attachment.bin

More information about the cifs-protocol mailing list