PAC signature verification for Samba3
Stefan (metze) Metzmacher
metze at samba.org
Tue Aug 30 13:42:38 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> This is half-true: a member server needs to verify the KDC signature if
> a service tries to impersonate whilst running as an unprivileged user.
> Otherwise, a service (which knows its own key) could forge a ticket to
> itself with a PAC containing valid server signatures and SIDs belonging
> to a more privileged user.
>
> I'm not sure this makes sense under POSIX though (can a non-root
> process set its effective UID to an arbitrary one?). Even if it did you
> want to avoid it if at all possible because the signature validation RPC
> completely destroys the performance advantage of Kerberos authentication,
Hi Luke,
I think think we hit that problem, that we don't provide this verification RPC.
what call is that?
(I saw a PAC verification error in the event log, with the machine account of the local workstation)
- --
metze
Stefan Metzmacher <metze at samba.org> www.samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDFGJMm70gjA5TCD8RAgAQAJ0YTcIoCfJGAsQdoOTyVxOo/5pvkwCeNQeN
+chs6erntLRO6nYa/0ad4OU=
=AODJ
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list