[cifs-protocol] RE: How to validate the PAC in NETLOGON SRX080918600905

Andrew Bartlett abartlet at samba.org
Thu Nov 13 20:36:40 GMT 2008

On Thu, 2008-11-13 at 06:23 -0800, Richard Guthrie wrote:
> Andrew,
> We have revised the MS-PAC documentation to more accurately reflect
> signature verification requirements in section 2.8 as well as made
> several updates to clarify the relationship between MS-PAC and
> MS-KILE.  I have attached those three documents for your review.  The
> changes in each document are highlighted in yellow.
> Please let us know if you have any further questions.

You really need to say:

The server MUST verify the signature over the server checksum
([MS-PAC]section 2.8.2) and compare the result against the KDC checksum
passed in the request.

As you should not say 'signature' without indicating what it is over,
and 2.8.2 is a better reference.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081114/1646443c/attachment.bin

More information about the cifs-protocol mailing list