PAC Sucess!

mschwartz at mschwartz at
Tue Aug 30 12:06:02 GMT 2005

A major Kudos is in order!  Outstanding news on the PAC!  

I would really like to do some testing outside of the basic file system.
 At this point, could someone send me their config files for Samba4 so
I can test domain joins/logons and other things?  I attempted to
"guess" some of the config setting but no dice.  Do I need to configure
Heimdal separately?  Any help provided will allow me to be of some use.


Andrew Bartlett <abartlet at> wrote on 08/30/2005, 01:02:22 PM:
> While a few of you have already noticed, I realised that I had not yet
> announced our success with the PAC.
> As many of you know, Samba4 has an implementation of the Active
> Directory logon protocols, and we demonstrated WinXP performing a domain
> join, and domain logon many months ago.  
> Until recenly, we were in a situation of 'one step forward, two steps
> back', as we have enabled a KDC in Samba4, and are using it quite
> successfully. However, the KDC we are operating is still unable to
> generate a PAC acceptable to the windows client, which causes the
> windows domain logon to fail.  That's a real pity, because that login
> was the pride of the SambaXP show - it really demonstrates how far we
> have come.
> As we moved on, we have added kerberos to our collection of implemented
> protocols, incorporating modified snapshots of Heimdal kerberos into the
> source.  However, this was one of those 'two steps forward, one step
> back' moments, as we were forced to implement the PAC, to satisfy the
> domain logon.
> Anyway, Micrsoft's proprietary extension to Kerberos, the PAC is a
> signed and validated data structure that includes information on the
> user and their group membership.  As such, it is mandatory for the
> domain logon sequence.
> For the last 12 months, I have been working on and off, along with
> Stefan Metzmacher and others on the Samba and Heimdal teams, to built a
> KDC that a Windows client will respect as one of it's own. Slowly, we
> have built backends, hacks, and patches for the KDC we derived from the
> Heimdal Kerberos.
> As the months have gone by, we have got closer and closer, and last
> Friday we finally cracked it:  I arranged to spend a Thursday with
> Tridge, to show him the ropes, and to see what progress we could make,
> and we continued to work on the problem on Friday.  Tridge made the
> first real headway by narrowing the problem to just kerberos (by using
> proxies and an account database obtained from Win2k3 with samsync).  
> As the day progressed tridge and I attacked just the kerberos
> differences.  We even had Samba4 issue a service ticket from an AS-REQ
> issued by Win2k3.  This allowed us to use a 'real PAC' in a Samba4
> ticket (and allowed us to narrow the differences further). 
> Anyway, the long and short of it is that we can now generate a PAC fully
> acceptable to the windows workstation!
> In going so far, I do have to thank Stefan Metzmacher, Andrew Tridgell
> and Love Hörnquist Åstrand, because without their efforts, this simply
> would not have been possible!
> To try this yourselves, set:
> gensec:gssapi_krb5=yes
> in your Samba4 smb.conf, follow the HOWTO in Samba4 checkout.
> Andrew Bartlett 
> -- 
> Andrew Bartlett                      
> Samba Developer, SuSE Labs, Novell Inc.
> Authentication Developer, Samba Team 
> Student Network Administrator, Hawker College

More information about the samba-technical mailing list