pac experiments

[Stefan (metze) Metzmacher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bartlett schrieb:
> On Fri, 2005-08-26 at 00:45 +1000, tridge at samba.org wrote:
> 
>>Andrew,
>>
>>Thanks for showing me around the PAC problem today.
> 
> 
> I see I have you hooked ;-)
> 
> 
>>I did a little experiment that I think is perhaps quite
>>enlightening. We were getting the following log error:
>>
>>  508.640> Kerb-Warn: Pac signature did not verify c000006d.
>>
>>which sounds like the srv_checksum->signature is wrong, but is it?
>>
>>I thought it would be worth _deliberately_ breaking the pac signatgure
>>as follows:
>>
>>	srv_checksum->signature[15] += 1;
>>
>>(note unlike my earlier email to you, I now have this in the right
>>place, not in the bit before the zeroing of the signatures).
> 
> 
> :-)
> 
> 
>>With that in place the w2k3 client now gives:
>>
>>508.644> Kerb-Error: Checksum on the PAC does not match! d:\srvrtm\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 570
>>508.644> Kerb-Warn: Pac signature did not verify c000006d.
>>
>>note the extra message? This means that our initial interpretation of
>>the 'Pac signature did not verify' message was wrong, as when you
>>_really_ get the signature wrong you get the "Checksum on the PAC does
>>not match" message. So now we know that our signature code is really
>>OK, and that it is some other property of the pac that is wrong.

great tridge!

maybe you can try to skip, some of the PAC_BUFFERS, change the order and see if the error changes...

what is when we don't send the LOGON_INFO for example,
so we can try to work out which part it doesn't like

or what is when we just send the 2 signatures?
...

- --
metze

Stefan Metzmacher <metze at samba.org> www.samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDr5hm70gjA5TCD8RAkeMAJ4/MRcy/haKeRXF0lYj/9OD4xrxUACeNntc
OAzajDl6A9DkkDNyYb/5FXo=
=/ac+
-----END PGP SIGNATURE-----