[cifs-protocol] Update of MS-PAC spec regarding November 2021 security updates

Stefan Metzmacher metze at samba.org
Wed Nov 24 10:12:54 UTC 2021

Am 24.11.21 um 10:33 schrieb Alexander Bokovoy via cifs-protocol:
> Hello dochelp,
> I can see inconsistency in what is published on
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/
> with regards to the changes introduced as a part of the Microsoft
> Windows security update of November 2021. Could this inconsistency be
> clarified by publishing the new revision of the MS-PAC document?
> Errata document[1] talks about changes dated 2021/11/11 post V22.0 but the
> rest of the linked documents are only V22.0.
> In particular, the errata document[1] is saying:
> -----
> The following sections were changed or added. Please see the diff document for the
> details.
> In section 2.10 UPN_DNS_INFO, added four new fields and a flag to the
> UPN_DNS_INFO structure.
> In section 2.14 PAC_ATTRIBUTES_INFO, added section.
> In section 2.15 PAC_REQUESTOR, added section.
> -----
> The document published, however, does not have these changes. The last
> section in chapter 2 is '14', there is no section 2.15.

I'm seeing it here:

But for me the PAC_ATTRIBUTES_INFO documentation is a bit unclear:

We have this in Samba:
        typedef [bitmap32bit] bitmap {
                PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,

        typedef struct {
                uint32 flags_length; /* length in bits */
                PAC_ATTRIBUTE_INFO_FLAGS flags;

And the documentation has:

  FlagsLength (4 bytes): An unsigned 32-bit integer in little-endian format that describes the length,
                         in bits, of the Flags field.

  Flags (variable): an array of 32-bit unsigned integers in little-endian format that contains flag bits
                    describing the PAC.

It's not really clear that the array size is '((int)(flags_length/32))+1', for now it's seems to be just a single
uint32 element with two defined flags. Unless bit 33 will be defined someday, it would be easier to have it as

typedef struct {
  uint32 number_of_valid_flags;
  uint32 flags;

which is basically what we currently have in Samba, but in theory it would have to be

typedef struct {
  uint32 number_of_valid_flags;
  uint32 flags[(number_of_valid_flags/32)+1];


More information about the cifs-protocol mailing list