[cifs-protocol] RE: How to validate the PAC in NETLOGON

Richard Guthrie rguthrie at microsoft.com
Thu Sep 4 13:54:05 GMT 2008 

Andrew,

I am still researching the issue you are getting with NT_STATUS_INVALID_PARAMETER however I wanted to send you an update to the documentation based on your last feedback regarding computation of the KDC signature.  Section 2.8.1 will be revised as follows (revised text in paragraph 3):

Section 2.8.1 Revision

Signatures are generated by the issuing KDC and depend on the cryptographic algorithms available to the KDC. The checksum type MUST be one of the values defined in the table in section 2.8. The key usage value MUST be KERB_NON_KERB_CKSUM_SALT (17). A PAC MUST contain two such signatures: one keyed so that the server can verify it, and the other keyed so that the KDC can verify it.
Prior to the signature being generated by the issuing KDC, the entire PAC must be constructed. The entire message, including the PACTYPE (section 2.3) header and all PAC elements, MUST be constructed into a contiguous buffer. The Signature fields of the PAC_SIGNATURE_DATA structures MUST all be set to zero.

To generate the server signature, the keyed hash function selected, as specified in [RFC4757], MUST be computed over the entire PAC buffer. The key selected for the algorithm MUST be the server's key known to the KDC. The resulting hash value is then placed in the Signature field of the server's PAC_SIGNATURE_DATA structure.
Before verifying the server signature, the Signature field values are removed from the PAC buffer and MUST be replaced with zeros. Then the hash is generated as specified in [RFC4757]. The resulting hash is compared with the locally stored version; if they match, the signature MUST be considered valid.

To generate the KDC signature, first the server signature must have been constructed according to the previous two paragraphs, then the keyed hash function MUST be computed over the signature field value of the server's PAC_SIGNATURE_DATA. The key selected for the algorithm MUST be the key of the KDC (krbtgt) itself [RFC4120]. The resulting hash is placed in the Signature field of the KDC's PAC_SIGNATURE_DATA structure.

To verify the KDC signature, the keyed hash MUST be generated over the version of the server signature received in the KERB_VERIFY_PAC_REQUEST structure [MS-APDS] (section 2.2.2.1) using the algorithm specified in the SignatureType field in the KERB_VERIFY_PAC_REQUEST structure. The resulting hash is compared with the KDC signature value in the Signature value field in the KERB_VERIFY_PAC_REQUEST structure; if they match, the signature MUST be considered valid.
A PAC with an invalid signature MUST be rejected.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, August 28, 2008 3:14 AM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to validate the PAC in NETLOGON

On Thu, 2008-08-28 at 08:15 +1000, Andrew Bartlett wrote:
> On Wed, 2008-08-27 at 12:23 -0700, Richard Guthrie wrote:
> > Andrew,
>
> > To verify the KDC signature, the keyed hash MUST be generated over
> > the version of the server signature received in the
> > KERB_VERIFY_PAC_REQUEST structure [MS-APDS] (section 2.2.2.1) using
> > the algorithm specified in the SignatureType field in the
> > KERB_VERIFY_PAC_REQUEST structure. The resulting hash is compared
> > with the KDC signature value in the Signature value field in the
> > KERB_VERIFY_PAC_REQUEST structure; if they match, the signature MUST
> > be considered valid.
>
> Thankyou very much.  This makes *much* more sense now (the subtle
> re-wording made me re-read our PAC implementation, and realise that the
> KDC checksum is over the sever checksum, not the whole PAC).

However, I still get NT_STATUS_INVALID_PARAMETER (from the Kerberos package, according to netlogon.log on the windows side).  See the attached trace (critical packet is 175).  The code generating it is
here:

http://gitweb.samba.org/?p=samba.git;a=blob;f=source/torture/rpc/remote_pac.c;h=a01077a6c7327818817be15d95cdeb1afcc9784e;hb=acfa87f3411a61bdd9066fbbba2bcfbe2a60cbbe

The IDL I'm using for inside the generic package is:


        typedef [public] struct {
                uint32 MessageType;
                uint32 ChecksumLength;
                uint32 SignatureType;
                uint32 SignatureLength;
                [flag(NDR_REMAINING)] DATA_BLOB ChecksumAndSignature;
        } PAC_Validate;

Do you have any clues what I'm missing here?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list