pac experiments

Stefan (metze) Metzmacher metze at
Fri Aug 26 07:01:55 GMT 2005

Hash: SHA1

Andrew Bartlett schrieb:
> On Fri, 2005-08-26 at 00:45 +1000, tridge at wrote:
>>Thanks for showing me around the PAC problem today.
> I see I have you hooked ;-)
>>I did a little experiment that I think is perhaps quite
>>enlightening. We were getting the following log error:
>>  508.640> Kerb-Warn: Pac signature did not verify c000006d.
>>which sounds like the srv_checksum->signature is wrong, but is it?
>>I thought it would be worth _deliberately_ breaking the pac signatgure
>>as follows:
>>	srv_checksum->signature[15] += 1;
>>(note unlike my earlier email to you, I now have this in the right
>>place, not in the bit before the zeroing of the signatures).
> :-)
>>With that in place the w2k3 client now gives:
>>508.644> Kerb-Error: Checksum on the PAC does not match! d:\srvrtm\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 570
>>508.644> Kerb-Warn: Pac signature did not verify c000006d.
>>note the extra message? This means that our initial interpretation of
>>the 'Pac signature did not verify' message was wrong, as when you
>>_really_ get the signature wrong you get the "Checksum on the PAC does
>>not match" message. So now we know that our signature code is really
>>OK, and that it is some other property of the pac that is wrong.

great tridge!

maybe you can try to skip, some of the PAC_BUFFERS, change the order and see if the error changes...

what is when we don't send the LOGON_INFO for example,
so we can try to work out which part it doesn't like

or what is when we just send the 2 signatures?

- --

Stefan Metzmacher <metze at>
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list