[cifs-protocol] RE: How to validate the PAC in NETLOGON
rguthrie at microsoft.com
Thu Nov 13 14:23:00 GMT 2008
We have revised the MS-PAC documentation to more accurately reflect signature verification requirements in section 2.8 as well as made several updates to clarify the relationship between MS-PAC and MS-KILE. I have attached those three documents for your review. The changes in each document are highlighted in yellow.
Please let us know if you have any further questions.
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
From: Andrew Bartlett [abartlet at samba.org]
Sent: Thursday, October 23, 2008 7:46 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to validate the PAC in NETLOGON SRX080918600905
On Thu, 2008-10-23 at 06:31 -0700, Richard Guthrie wrote:
> Thank you for the information. We will re-evaluate this issue and
> provide you with a response shortly. I would like to request a
> network capture along with a NDR dump of the packet containing the PAC
> as you have described to help understand the behavior you are seeing.
> Also if you can provide the version of OS for the server it would be
This behaviour is demonstrated by the RPC-PAC test in smbtorture
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx,
Trying again on the language:
The client MUST already validated the server signature over the whole
PAC, and because the KDC signature if calculated over the server
signature, it is sufficient to send only the server signature and KDC
signature (rather than the whole PAC) to the NETLOGON server for
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 396416 bytes
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081113/09de8961/SRX080918600905-0001.bin
More information about the cifs-protocol