PAC signature verification for Samba3
Luke Howard
lukeh at padl.com
Tue Aug 30 14:27:21 GMT 2005
It is a generic NetrLogonSamLogon for the Kerberos security package.
-- Luke
>From: "Stefan (metze) Metzmacher" <metze at samba.org>
>Subject: Re: PAC signature verification for Samba3
>To: lukeh at padl.com
>Cc: samba-technical at samba.org, abartlet at samba.org
>Date: Tue, 30 Aug 2005 15:42:38 +0200
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>> This is half-true: a member server needs to verify the KDC signature if
>> a service tries to impersonate whilst running as an unprivileged user.
>> Otherwise, a service (which knows its own key) could forge a ticket to
>> itself with a PAC containing valid server signatures and SIDs belonging
>> to a more privileged user.
>>
>> I'm not sure this makes sense under POSIX though (can a non-root
>> process set its effective UID to an arbitrary one?). Even if it did you
>> want to avoid it if at all possible because the signature validation RPC
>> completely destroys the performance advantage of Kerberos authentication,
>
>Hi Luke,
>
>I think think we hit that problem, that we don't provide this verification RPC.
>what call is that?
>
>(I saw a PAC verification error in the event log, with the machine account of the local workstation)
>
>- --
>metze
>
>Stefan Metzmacher <metze at samba.org> www.samba.org
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3-nr1 (Windows XP)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFDFGJMm70gjA5TCD8RAgAQAJ0YTcIoCfJGAsQdoOTyVxOo/5pvkwCeNQeN
>+chs6erntLRO6nYa/0ad4OU=
>=AODJ
>-----END PGP SIGNATURE-----
--
More information about the samba-technical
mailing list