Kerberos PAC now validated
Andrew Bartlett
abartlet at samba.org
Wed Jun 29 23:14:16 GMT 2005
On Tue, 2005-06-28 at 19:52 +1000, Andrew Bartlett wrote:
> Samba4 now correctly validates the Kerberos PAC, as issued by Active
> Directory. (Previously in Samba3 and Samba4 we could parse the PAC, but
> not verify the digital signatures).
>
> The next stab will be to make our KDC issue the PAC, but given the
> history of Samba4 I expect the server will now be pretty easy :-)
And while it took a day, I now have our KDC issuing the Krb5 PAC, in the
correct ASN.1 structure. It is all a bit disgusting (needs abstraction
behind a HDB interface, so we can try and get the hooks merged
upstream), but it is a very nice start.
Now, I can't make WinXP accept it yet, but our own server code accepts
and validates both the Samba4 and Win2k3 PAC.
The main sticking point I have in the PAC code is some rather odd '_pad'
elements (that I can't explain), as well as a need for variable size
signature arrays. The current IDL is:
typedef [flag(NDR_PAHEX)] struct {
uint32 type;
uint8 signature[16];
[value(0)] uint32 _pad;
} PAC_SIGNATURE_DATA;
However the signature size should vary with the encryption type. The
PAC specification tells us to use the size in PAC_BUFFER to figure out
how long the signature should be.
typedef struct {
uint32 type;
[value(ndr_size_PAC_INFO(info,type,ndr->flags))] uint32 size;
[relative,switch_is(type)] PAC_INFO *info;
[value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
} PAC_BUFFER;
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050630/abbdc841/attachment.bin
More information about the samba-technical
mailing list