PAC signature verification for Samba3
Luke Howard
lukeh at padl.com
Fri Aug 12 02:50:26 GMT 2005
>You don't verify the KDC signature on a member server, so you don't need
>to worry about that. (This code is in Samba4 for our KDC, not member
>server side).
This is half-true: a member server needs to verify the KDC signature if
a service tries to impersonate whilst running as an unprivileged user.
Otherwise, a service (which knows its own key) could forge a ticket to
itself with a PAC containing valid server signatures and SIDs belonging
to a more privileged user.
I'm not sure this makes sense under POSIX though (can a non-root
process set its effective UID to an arbitrary one?). Even if it did you
want to avoid it if at all possible because the signature validation RPC
completely destroys the performance advantage of Kerberos authentication,
being that the accepting service does not need to contact a third party
in order to authenticate a client.
See:
http://www.usenix.org/publications/login/1998-5/brundrett.html
-- Luke
--
More information about the samba-technical
mailing list