[PATCH] Kerberos PAC verification (and use) for samba 3

Andrew Bartlett abartlet at samba.org
Fri Sep 9 17:30:08 GMT 2005

On Fri, 2005-09-09 at 18:30 +0200, Guenther Deschner wrote:
> Hi,
> attached is a reworked patch that allows to build correcter NT Tokens for
> Samba3 as a domain member in security=ads using a validated Kerberos PAC
> (thanks to the tremendous work happening in Samba4).

> Any feedback would be very welcome :)

A few things I noticed:

As per my mail to the list a couple of days ago, the handling of the
signatures in the PAC as fixed 16 byte quantities is our bug.

Watch your copyrights on the large lumps of 'glue' code.

See if you can use the header from the netlogon pipe for the info3
portion of the PAC (rather than duplicating the members in authdata.h).

You (and we) should handle the case where the AD-IF-RELEVANT contents is
not of type 128 (ie, we should have some other bit of data that is in
this extension field), as well as when the first authdata element isn't

Finally, great work!  I do however feel completely vindicated in my
decision not to try and support a system kerberos library during Samba4
development ;-)

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050910/506c6f7c/attachment.bin

More information about the samba-technical mailing list