pac experiments

tridge at tridge at
Thu Aug 25 14:45:07 GMT 2005


Thanks for showing me around the PAC problem today.

I did a little experiment that I think is perhaps quite
enlightening. We were getting the following log error:

  508.640> Kerb-Warn: Pac signature did not verify c000006d.

which sounds like the srv_checksum->signature is wrong, but is it?

I thought it would be worth _deliberately_ breaking the pac signatgure
as follows:

	srv_checksum->signature[15] += 1;

(note unlike my earlier email to you, I now have this in the right
place, not in the bit before the zeroing of the signatures).

With that in place the w2k3 client now gives:

508.644> Kerb-Error: Checksum on the PAC does not match! d:\srvrtm\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 570
508.644> Kerb-Warn: Pac signature did not verify c000006d.

note the extra message? This means that our initial interpretation of
the 'Pac signature did not verify' message was wrong, as when you
_really_ get the signature wrong you get the "Checksum on the PAC does
not match" message. So now we know that our signature code is really
OK, and that it is some other property of the pac that is wrong.

Cheers, Tridge

More information about the samba-technical mailing list