PAC debugging

Andrew Bartlett abartlet at
Tue Oct 25 13:49:30 GMT 2005

Just a quick note to myself in the future, or anybody else who happens
to stumble on PAC bugs.

Late last week, I broke kerberos based domain logons to Samba4 from
Win2k3.  It turns out I did this by breaking a search, which in turn
resulted in invalid data (a wrong domain) being placed in the PAC.

This resulted in these error messages in the lsass.log:

444.560> Kerb-Error: KDC failed to verify PAC signature: 0xc002001d. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 844
444.560> Kerb-Error: Pac signature did not verify: domain TAMMY.ABARTLET.NET, status c002001d
444.560> Kerb-Error: Failed to create token from ticket: 0xc002001d. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3882

You get the lsass.log by adding the registry keys described here:

The behaviour I saw was the normal kerberos traffic, then a LSA RPC
call: LookupSids3, secured with scahnnel, using ncacn_ip_tcp transport.

This (and the matching LookupNames4) appears to be the only LSA call
allowed by Win2k3 SP1 over TCP, and is only allowed to schannel clients.
I think it may have been wanting to verify the SID in the PAC with the
name in the PAC.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list