PAC debugging
Andrew Bartlett
abartlet at samba.org
Tue Oct 25 13:49:30 GMT 2005
Just a quick note to myself in the future, or anybody else who happens
to stumble on PAC bugs.
Late last week, I broke kerberos based domain logons to Samba4 from
Win2k3. It turns out I did this by breaking a search, which in turn
resulted in invalid data (a wrong domain) being placed in the PAC.
This resulted in these error messages in the lsass.log:
444.560> Kerb-Error: KDC failed to verify PAC signature: 0xc002001d. d:\nt\ds\security\protocols\kerberos\client2\krbtoken.cxx, line 844
444.560> Kerb-Error: Pac signature did not verify: domain TAMMY.ABARTLET.NET, status c002001d
444.560> Kerb-Error: Failed to create token from ticket: 0xc002001d. d:\nt\ds\security\protocols\kerberos\client2\ctxtapi.cxx, line 3882
You get the lsass.log by adding the registry keys described here:
http://www.hsc.fr/ressources/articles/win_log_files/index.html.en#id2578532
The behaviour I saw was the normal kerberos traffic, then a LSA RPC
call: LookupSids3, secured with scahnnel, using ncacn_ip_tcp transport.
This (and the matching LookupNames4) appears to be the only LSA call
allowed by Win2k3 SP1 over TCP, and is only allowed to schannel clients.
I think it may have been wanting to verify the SID in the PAC with the
name in the PAC.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051025/fb636fe4/attachment.bin
More information about the samba-technical
mailing list