Does PAC Validation Require External Communication?

Andrew Bartlett abartlet at
Mon May 14 21:59:40 GMT 2007

On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> This link claims MS' PAC verification can require communication with
> the DC:
> Is this true? If so, services will not be able to authenticate nearly
> as fast as they otherwise could.

If you think that someone else (not root) has access to the local
kerberos keytab (or the machine account password), then that user could
spoof their way to any (CIFS) user via the PAC, because they could make
up a fake one.  Similarly, as always with kerberos, they could change
the principal in the ticket, etc. 

This can be worked around by validating the PAC to the KDC, but should
be of concern to anyone who shares that keytab too broadly (eg with

On windows, I think a user could run a service, and unless the PAC was
validated with the KDC, they could use their password to fake their way
down to another more privileged user. 

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list