[cifs-protocol] RE: How to validate the PAC in NETLOGON SRX080918600905

Andrew Bartlett abartlet at samba.org
Fri Oct 24 00:46:20 GMT 2008


On Thu, 2008-10-23 at 06:31 -0700, Richard Guthrie wrote:
> Andrew,
> 
> Thank you for the information.  We will re-evaluate this issue and
> provide you with a response shortly.  I would like to request a
> network capture along with a NDR dump of the packet containing the PAC
> as you have described to help understand the behavior you are seeing.
> Also if you can provide the version of OS for the server it would be
> helpful.

This behaviour is demonstrated by the RPC-PAC test in smbtorture
(torture/rpc/remote_pac.c)

	pac_wrapped_struct.ChecksumLength =
session_info->server_info->pac_srv_sig.signature.length;
	pac_wrapped_struct.SignatureType =
session_info->server_info->pac_kdc_sig.type;
	pac_wrapped_struct.SignatureLength =
session_info->server_info->pac_kdc_sig.signature.length;
	pac_wrapped_struct.ChecksumAndSignature = payload
		= data_blob_talloc(tmp_ctx, NULL, 
				   pac_wrapped_struct.ChecksumLength
				   + pac_wrapped_struct.SignatureLength);
	memcpy(&payload.data[0], 
	       session_info->server_info->pac_srv_sig.signature.data, 
	       pac_wrapped_struct.ChecksumLength);
	memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], 
	       session_info->server_info->pac_kdc_sig.signature.data, 
	       pac_wrapped_struct.SignatureLength);

	ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx,
lp_iconv_convenience(tctx->lp_ctx), &pac_wrapped_struct,
				       (ndr_push_flags_fn_t)ndr_push_PAC_Validate);


Trying again on the language:

The client MUST already validated the server signature over the whole
PAC, and because the KDC signature if calculated over the server
signature, it is sufficient to send only the server signature and KDC
signature (rather than the whole PAC) to the NETLOGON server for
validation.


-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081024/00ca53cd/attachment.bin


More information about the cifs-protocol mailing list