PAC Progress

Stefan (metze) Metzmacher metze at
Mon Jul 4 15:33:07 GMT 2005

Hash: SHA1

Andrew Bartlett schrieb:
> (Clearly I should take up blogging, given these missives...)
> I've been making very intersting progress on the PAC, and I wanted to
> update the list on where things are at, and the current challenges.
> So far, the IDL was have for the PAC appears to be 'mostly correct', but
> there are some interesting points that come up when implementing the
> push, rather than the pull side of the problem.
> The problem is one of padding - but not in the usual way we find in NDR,
> because the PAC isn't NDR.  It seems that the PAC is constructed at two
> layers - one up to the PAC_BUFFER level, and a second layer for the
> different types of buffers.
> To ensure that the buffers start on 8 byte boundaries (a requirement set
> out in the spec), they are all padded out from behind.  This is visible
> in particular on the PAC_SIGNATURE struct:
> Looking at a sample I have:
> 0001100 76 ff ff ff 37 d5 b0 f7 24 f0 d6 d4 ec 09 86 5a
> 0001120 a0 e8 c3 a9 00 00 00 00 76 ff ff ff b4 d8 b8 fe
> 0001140 83 b3 13 3f fc 5c 41 ad e2 64 83 e0 00 00 00 00
> If this was normal NDR alignment, there is no place for those last 4
> bytes.  Instead, think that the buffers into which the signatures are
> placed are rounded out to 8 bytes multiples, and the '64 bit
> pointer' (where a 16 bit one would have done) is the same, actually just
> forced padding:
> 	typedef struct {
> 		uint32 type;
> 		uint32 size;
> 		[relative,switch_is(type),subcontext(0),subcontext_size(size),pad8]
> PAC_INFO *info;
> 		uint32 _pad; /* Top half of a 64 bit pointer? */
> (I added a pidl extension to create the padding)
> In other matters, I am having trouble getting pidl to handle value() in
> this structure.   The subcontext_size() does not evaluate the value() on
> the size element for the push, and [value(0)] on _pad doesn't zero the
> _pad bytes.
> I have added a LOCAL-PAC test to try and avoid regressions, particularly
> with parsing a valid Win2k3 PAC while we play with this.


can you fetch the krbtgt nthash from your server and place that also in the
torture test, so that we can verify the KDC checksum too


- --

Stefan Metzmacher <metze at>
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list