[cifs-protocol] RE: How to validate the PAC in NETLOGON SRX080918600905

Richard Guthrie rguthrie at microsoft.com
Thu Oct 23 13:31:32 GMT 2008 

Andrew,

Thank you for the information.  We will re-evaluate this issue and provide you with a response shortly.  I would like to request a network capture along with a NDR dump of the packet containing the PAC as you have described to help understand the behavior you are seeing.  Also if you can provide the version of OS for the server it would be helpful.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, October 20, 2008 4:26 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to validate the PAC in NETLOGON SRX080918600905

On Mon, 2008-10-20 at 11:39 -0700, Richard Guthrie wrote:
> Andrew,
>
> I wanted to follow up on your request to add the sentence 'because the
> client has already validated the server signature over the whole PAC,
> and because the KDC signature if calculated over the server signature,
> it is sufficient to send only the server signature to the NETLOGON
> server' to the MS-PAC documentation.  We feel that the addition of
> your suggested sentence is not accurate for the Microsoft
> implementation of MS-PAC. As per the documentation there must be 2
> signatures included in the PAC_INFO_BUFFER structure.  This is defined
> in sections 2.4 and 2.8 with respect to the ulType field.  There must
> be both type 0x00000006 and type 0x00000007 signatures present for PAC
> structure validation to succeed.

Sure, but you don't send both to the NETLOGON server.  As such, you need to explain why this is valid.

Given the love of MUST in this documentation set, perhaps:

The client MUST already validated the server signature over the whole PAC, and because the KDC signature if calculated over the server signature, it is sufficient to send only the server signature to the NETLOGON server for validation.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list