PAC Sucess!

Andrew Bartlett abartlet at
Tue Aug 30 11:02:22 GMT 2005

While a few of you have already noticed, I realised that I had not yet
announced our success with the PAC.

As many of you know, Samba4 has an implementation of the Active
Directory logon protocols, and we demonstrated WinXP performing a domain
join, and domain logon many months ago.  

Until recenly, we were in a situation of 'one step forward, two steps
back', as we have enabled a KDC in Samba4, and are using it quite
successfully. However, the KDC we are operating is still unable to
generate a PAC acceptable to the windows client, which causes the
windows domain logon to fail.  That's a real pity, because that login
was the pride of the SambaXP show - it really demonstrates how far we
have come.

As we moved on, we have added kerberos to our collection of implemented
protocols, incorporating modified snapshots of Heimdal kerberos into the
source.  However, this was one of those 'two steps forward, one step
back' moments, as we were forced to implement the PAC, to satisfy the
domain logon.

Anyway, Micrsoft's proprietary extension to Kerberos, the PAC is a
signed and validated data structure that includes information on the
user and their group membership.  As such, it is mandatory for the
domain logon sequence.

For the last 12 months, I have been working on and off, along with
Stefan Metzmacher and others on the Samba and Heimdal teams, to built a
KDC that a Windows client will respect as one of it's own. Slowly, we
have built backends, hacks, and patches for the KDC we derived from the
Heimdal Kerberos.

As the months have gone by, we have got closer and closer, and last
Friday we finally cracked it:  I arranged to spend a Thursday with
Tridge, to show him the ropes, and to see what progress we could make,
and we continued to work on the problem on Friday.  Tridge made the
first real headway by narrowing the problem to just kerberos (by using
proxies and an account database obtained from Win2k3 with samsync).  

As the day progressed tridge and I attacked just the kerberos
differences.  We even had Samba4 issue a service ticket from an AS-REQ
issued by Win2k3.  This allowed us to use a 'real PAC' in a Samba4
ticket (and allowed us to narrow the differences further). 

Anyway, the long and short of it is that we can now generate a PAC fully
acceptable to the windows workstation!

In going so far, I do have to thank Stefan Metzmacher, Andrew Tridgell
and Love Hörnquist Åstrand, because without their efforts, this simply
would not have been possible!

To try this yourselves, set:

in your Samba4 smb.conf, follow the HOWTO in Samba4 checkout.

Andrew Bartlett 
Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list