[cifs-protocol] RE: How to validate the PAC in NETLOGON
SRX080918600905
Andrew Bartlett
abartlet at samba.org
Mon Oct 20 21:25:31 GMT 2008
On Mon, 2008-10-20 at 11:39 -0700, Richard Guthrie wrote:
> Andrew,
>
> I wanted to follow up on your request to add the sentence 'because the
> client has already validated the server signature over the whole PAC,
> and because the KDC signature if calculated over the server signature,
> it is sufficient to send only the server signature to the NETLOGON
> server' to the MS-PAC documentation. We feel that the addition of
> your suggested sentence is not accurate for the Microsoft
> implementation of MS-PAC. As per the documentation there must be 2
> signatures included in the PAC_INFO_BUFFER structure. This is defined
> in sections 2.4 and 2.8 with respect to the ulType field. There must
> be both type 0x00000006 and type 0x00000007 signatures present for PAC
> structure validation to succeed.
Sure, but you don't send both to the NETLOGON server. As such, you need
to explain why this is valid.
Given the love of MUST in this documentation set, perhaps:
The client MUST already validated the server signature over the whole
PAC, and because the KDC signature if calculated over the server
signature, it is sufficient to send only the server signature to the
NETLOGON server for validation.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081021/55e3632d/attachment.bin
More information about the cifs-protocol
mailing list