PAC signature verification for Samba3

Andrew Bartlett abartlet at
Thu Aug 11 22:21:21 GMT 2005

On Thu, 2005-08-11 at 20:37 +0200, Guenther Deschner wrote:
> Hi,
> attached a first patch to use PAC information in Samba3. It verifies the
> server-signature and copies the user- and group-sid into the server-info.
> Basically I ported samba4-knowledge and two samba4-heimdal functions to
> make verification of the server-signature work (no clue how to verify the
> kdc-signature yet). This currently only compiles with Heimdal.

You don't verify the KDC signature on a member server, so you don't need
to worry about that.   (This code is in Samba4 for our KDC, not member
server side).

> As we now have so many Kerberos-experts: is this the right approach? 

For the string2key approach, this looks nice and clean - it is certainly
the easier option.  For the keytab code, the 'copy code from heimdal'
approach looks like the only option, despite it being really, really
disgusting :-)

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list