Win2k & Samba compatibility?

Steve Langasek vorlon at
Thu Feb 10 15:45:41 GMT 2000

On Wed, 9 Feb 2000, Christopher R. Hertel wrote:

> Microsoft is using a proprietary Privilage Authorization Certificate.  
> Note the word "Authorization".  Kerberos was originally designed as an 
> Authentication service.  PACs were added as an option for K5.  Microsoft 
> has (last I heard) chosen not to release info about their PACs.

> The upshot is that many, many systems will have trouble.  I heard an MBONE
> multicast of a Q&A session with Vixie the other night.  He was explaining
> that in certain configurations a W2K box will expect to use it's PAC as
> authoriziation for DynDNS registrations.  Of course, a non-W2K DNS server
> won't recognize the encrypted, proprietary PAC and will drop the request
> on the floor, logging an unauthorized registration request. 

> The result will be that the DNS server will be filtering out large numbers
> (depending upon the network size and number of W2K boxes) of such packets
> and the W2K boxes won't be getting thier names registred.  Instant DoS.


So... how much work goes into figuring out an undocumented PAC?

> > I know some of the people who were working on a similar project at Iowa State.
> > However, I was never privy to the details, as the comp center has Policies
> > regarding source code. :)

> Samba is under GPL.  If they are merging their code with Samba they have 
> no choice.

Well, no... Under the most commonly accepted interpretation of the GPL,
they're only under an obligation to release source code IFF they actually
choose to redistribute the software.  They're not redistributing their work:
the SMB-AFS gateway is available as a service on the university network, but
no one outside of the comp center has access to the source or binaries.
Believe me, if I could wave a license agreement at them, I would. :D

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list