[cifs-protocol] RE: How to validate the PAC in NETLOGON SRX080918600905

Richard Guthrie rguthrie at microsoft.com
Fri Jan 9 16:35:41 GMT 2009


You suggestion to improve the text in MS-APDS has been accepted and we have modified the documentation accordingly.  I have attached the updated section for completeness.  Thank you for your feedback.

Richard Guthrie
Support Escalation Engineer 
Open Protocols Support Team
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Thursday, November 13, 2008 2:37 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to validate the PAC in NETLOGON SRX080918600905

On Thu, 2008-11-13 at 06:23 -0800, Richard Guthrie wrote:
> Andrew,
> We have revised the MS-PAC documentation to more accurately reflect 
> signature verification requirements in section 2.8 as well as made 
> several updates to clarify the relationship between MS-PAC and 
> MS-KILE.  I have attached those three documents for your review.  The 
> changes in each document are highlighted in yellow.
> Please let us know if you have any further questions.

In MS-APDS Processing a KERB_VERIFY_PAC_REQUEST Message You really need to say:

The server MUST verify the signature over the server checksum ([MS-PAC]section 2.8.2) and compare the result against the KDC checksum passed in the request.

As you should not say 'signature' without indicating what it is over, and 2.8.2 is a better reference.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SRX081217601209.zip
Type: application/x-zip-compressed
Size: 112720 bytes
Desc: SRX081217601209.zip
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20090109/16e8a34c/SRX081217601209-0001.bin

More information about the cifs-protocol mailing list