Kerberos PAC now validated

Andrew Bartlett abartlet at
Wed Jun 29 23:14:16 GMT 2005

On Tue, 2005-06-28 at 19:52 +1000, Andrew Bartlett wrote:
> Samba4 now correctly validates the Kerberos PAC, as issued by Active
> Directory.  (Previously in Samba3 and Samba4 we could parse the PAC, but
> not verify the digital signatures). 
> The next stab will be to make our KDC issue the PAC, but given the
> history of Samba4 I expect the server will now be pretty easy :-)

And while it took a day, I now have our KDC issuing the Krb5 PAC, in the
correct ASN.1 structure.  It is all a bit disgusting (needs abstraction
behind a HDB interface, so we can try and get the hooks merged
upstream), but it is a very nice start.

Now, I can't make WinXP accept it yet, but our own server code accepts
and validates both the Samba4 and Win2k3 PAC.

The main sticking point I have in the PAC code is some rather odd '_pad'
elements (that I can't explain), as well as a need for variable size
signature arrays.  The current IDL is:

	typedef [flag(NDR_PAHEX)] struct {
		uint32 type;
		uint8 signature[16];
		[value(0)] uint32 _pad; 

However the signature size should vary with the encryption type.  The
PAC specification tells us to use the size in PAC_BUFFER to figure out
how long the signature should be.

	typedef struct {
		uint32 type;
		[value(ndr_size_PAC_INFO(info,type,ndr->flags))] uint32 size;
		[relative,switch_is(type)] PAC_INFO *info;
		[value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list