Does PAC Validation Require External Communication?

Andrew Bartlett abartlet at
Mon May 14 22:26:56 GMT 2007

On Mon, 2007-05-14 at 15:21 -0700, Henry B. Hotz wrote:
> As I understand it, if you have access to the server's keytab, then  
> in principle you can forge credentials for anyone, including non- 
> existent users (but only for that server).  What you suggest would  
> prevent someone faking the PAC data in a credential, and from  
> inventing a fake user, but they could still fake the credential.
> In other words it wouldn't stop John Jones from presenting a fake  
> credential for Sam Smith that just happened to include the real PAC  
> data that Sam would have had if it were really Sam.

The PAC includes another signature, with the KDC's private key.  This
signature can validate that the service didn't fake a user to itself.

Of course, if you hold the keytab for the machine account, you could
also fake the signed and encrypted communication with the KDC to
validate the PAC...

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list