pac experiments
Andrew Bartlett
abartlet at samba.org
Thu Aug 25 21:37:11 GMT 2005
On Fri, 2005-08-26 at 00:45 +1000, tridge at samba.org wrote:
> Andrew,
>
> Thanks for showing me around the PAC problem today.
I see I have you hooked ;-)
> I did a little experiment that I think is perhaps quite
> enlightening. We were getting the following log error:
>
> 508.640> Kerb-Warn: Pac signature did not verify c000006d.
>
> which sounds like the srv_checksum->signature is wrong, but is it?
>
> I thought it would be worth _deliberately_ breaking the pac signatgure
> as follows:
>
> srv_checksum->signature[15] += 1;
>
> (note unlike my earlier email to you, I now have this in the right
> place, not in the bit before the zeroing of the signatures).
:-)
> With that in place the w2k3 client now gives:
>
> 508.644> Kerb-Error: Checksum on the PAC does not match! d:\srvrtm\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 570
> 508.644> Kerb-Warn: Pac signature did not verify c000006d.
>
> note the extra message? This means that our initial interpretation of
> the 'Pac signature did not verify' message was wrong, as when you
> _really_ get the signature wrong you get the "Checksum on the PAC does
> not match" message. So now we know that our signature code is really
> OK, and that it is some other property of the pac that is wrong.
Great! Now to find what that is, be it in the kerberos ticket, or some
lineup with DCE/RPC...
Thank-you very much,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050826/d3a87794/attachment.bin
More information about the samba-technical
mailing list