[cifs-protocol] RE: How to validate the PAC in NETLOGON SRX080918600905

Richard Guthrie rguthrie at microsoft.com
Thu Nov 13 14:23:00 GMT 2008


We have revised the MS-PAC documentation to more accurately reflect signature verification requirements in section 2.8 as well as made several updates to clarify the relationship between MS-PAC and MS-KILE.  I have attached those three documents for your review.  The changes in each document are highlighted in yellow.

Please let us know if you have any further questions.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com

From: Andrew Bartlett [abartlet at samba.org]
Sent: Thursday, October 23, 2008 7:46 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to validate the PAC in NETLOGON SRX080918600905

On Thu, 2008-10-23 at 06:31 -0700, Richard Guthrie wrote:
> Andrew,
> Thank you for the information.  We will re-evaluate this issue and
> provide you with a response shortly.  I would like to request a
> network capture along with a NDR dump of the packet containing the PAC
> as you have described to help understand the behavior you are seeing.
> Also if you can provide the version of OS for the server it would be
> helpful.

This behaviour is demonstrated by the RPC-PAC test in smbtorture

        pac_wrapped_struct.ChecksumLength =
        pac_wrapped_struct.SignatureType =
        pac_wrapped_struct.SignatureLength =
        pac_wrapped_struct.ChecksumAndSignature = payload
                = data_blob_talloc(tmp_ctx, NULL,
                                   + pac_wrapped_struct.SignatureLength);

        ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx,
lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct,

Trying again on the language:

The client MUST already validated the server signature over the whole
PAC, and because the KDC signature if calculated over the server
signature, it is sufficient to send only the server signature and KDC
signature (rather than the whole PAC) to the NETLOGON server for

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SRX080918600905.zip
Type: application/x-zip-compressed
Size: 396416 bytes
Desc: SRX080918600905.zip
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081113/09de8961/SRX080918600905-0001.bin

More information about the cifs-protocol mailing list