Does PAC Validation Require External Communication?

Andrew Bartlett abartlet at samba.org
Mon May 14 21:59:40 GMT 2007


On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> This link claims MS' PAC verification can require communication with
> the DC:
> 
> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
> 
> Is this true? If so, services will not be able to authenticate nearly
> as fast as they otherwise could.

If you think that someone else (not root) has access to the local
kerberos keytab (or the machine account password), then that user could
spoof their way to any (CIFS) user via the PAC, because they could make
up a fake one.  Similarly, as always with kerberos, they could change
the principal in the ticket, etc. 

This can be worked around by validating the PAC to the KDC, but should
be of concern to anyone who shares that keytab too broadly (eg with
apache). 

On windows, I think a user could run a service, and unless the PAC was
validated with the KDC, they could use their password to fake their way
down to another more privileged user. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070515/41124482/attachment.bin


More information about the samba-technical mailing list