[Samba4] PAC and XP logon status

Andrew Bartlett abartlet at samba.org
Tue Aug 16 06:49:59 GMT 2005

With the increasing interest in Samba4, and in particular that of domain
logons from clients such as WinXP, I figured it was a good time to
summarise one of the roadblocks we know to be left.  

Currently, we are in a situation of 'one step forward, two steps back',
as we have enabled a KDC in Samba4, and are using it quite successfully.
However, the KDC we are operating is still unable to generate a PAC
acceptable to the windows client, which causes the windows domain logon
to fail.  That's a real pity, because that login was the pride of the
SambaXP show - it really demonstrates how far we have come.

Anyway, Micrsoft's proprietary extension to Kerberos, the PAC is a
signed and validated data structure that includes information on the
user and their group membership.  As such, it is mandatory for the
domain logon sequence.

For the last 12 months, I have been working on and off, along with
others on the Samba and Heimdal teams, to built a KDC that a Windows
client will respect as one of it's own. Slowly, we have built
backends, hacks, and patches for the KDC we derived from the Heimdal

As the months have gone by, we have got closer and closer: We now
accept the PAC when generated by windows, and have written tests (with
static data) that ensure we continue to. We accept the PAC we
generate, and can produce a PAC that matches the windows format
exactly. But still, we don't have it quite right: we still don't
have something right.

It is a game I have come to know as whack a mole: Always one more
thing, one more problem to be solved, and no particular clue how to
solve it. The hunt is again on, and the exact byte-for-byte
differences need to be tracked down, one by one.

In going so far, I do have to thank Stefan Metzmacher and Love Hörnquist
Åstrand, because without their efforts, going even this far would not be

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050816/b11a9912/attachment.bin

More information about the samba-technical mailing list