PAC signature verification for Samba3

Luke Howard lukeh at
Tue Aug 30 14:27:21 GMT 2005

It is a generic NetrLogonSamLogon for the Kerberos security package.

-- Luke

>From: "Stefan (metze) Metzmacher" <metze at>
>Subject: Re: PAC signature verification for Samba3
>To: lukeh at
>Cc: samba-technical at, abartlet at
>Date: Tue, 30 Aug 2005 15:42:38 +0200
>Hash: SHA1
>> This is half-true: a member server needs to verify the KDC signature if
>> a service tries to impersonate whilst running as an unprivileged user.
>> Otherwise, a service (which knows its own key) could forge a ticket to
>> itself with a PAC containing valid server signatures and SIDs belonging
>> to a more privileged user.
>> I'm not sure this makes sense under POSIX though (can a non-root
>> process set its effective UID to an arbitrary one?). Even if it did you
>> want to avoid it if at all possible because the signature validation RPC
>> completely destroys the performance advantage of Kerberos authentication,
>Hi Luke,
>I think think we hit that problem, that we don't provide this verification RPC.
>what call is that?
>(I saw a PAC verification error in the event log, with the machine account of the local workstation)
>- --
>Stefan Metzmacher <metze at>
>Version: GnuPG v1.2.3-nr1 (Windows XP)
>Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list