[cifs-protocol] krbtgt key to sign PAC with on an RODC

Andrew Bartlett abartlet at samba.org
Mon Sep 27 05:25:08 MDT 2010

If a RODC signs the PAC with the krbtgt key of the RODC, how is this
marked in the PAC, so that another DC can verify the PAC if presented
over NetLogon?

MS-PAC 2.8.2 KDC Signature does not make this very clear. 

Does a RODC not provide this signature, as it can't get a the krbtgt
key, or does it use it's own krbtgt?  

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100927/7357bf13/attachment.pgp>

More information about the cifs-protocol mailing list