pac experiments

Andrew Bartlett abartlet at
Thu Aug 25 21:37:11 GMT 2005

On Fri, 2005-08-26 at 00:45 +1000, tridge at wrote:
> Andrew,
> Thanks for showing me around the PAC problem today.

I see I have you hooked ;-)

> I did a little experiment that I think is perhaps quite
> enlightening. We were getting the following log error:
>   508.640> Kerb-Warn: Pac signature did not verify c000006d.
> which sounds like the srv_checksum->signature is wrong, but is it?
> I thought it would be worth _deliberately_ breaking the pac signatgure
> as follows:
> 	srv_checksum->signature[15] += 1;
> (note unlike my earlier email to you, I now have this in the right
> place, not in the bit before the zeroing of the signatures).


> With that in place the w2k3 client now gives:
> 508.644> Kerb-Error: Checksum on the PAC does not match! d:\srvrtm\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 570
> 508.644> Kerb-Warn: Pac signature did not verify c000006d.
> note the extra message? This means that our initial interpretation of
> the 'Pac signature did not verify' message was wrong, as when you
> _really_ get the signature wrong you get the "Checksum on the PAC does
> not match" message. So now we know that our signature code is really
> OK, and that it is some other property of the pac that is wrong.

Great!  Now to find what that is, be it in the kerberos ticket, or some
lineup with DCE/RPC...

Thank-you very much,

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list