Does PAC Validation Require External Communication?

Henry B. Hotz hotz at
Mon May 14 22:21:16 GMT 2007

As I understand it, if you have access to the server's keytab, then  
in principle you can forge credentials for anyone, including non- 
existent users (but only for that server).  What you suggest would  
prevent someone faking the PAC data in a credential, and from  
inventing a fake user, but they could still fake the credential.

In other words it wouldn't stop John Jones from presenting a fake  
credential for Sam Smith that just happened to include the real PAC  
data that Sam would have had if it were really Sam.

Am I missing something?

On May 14, 2007, at 2:59 PM, Andrew Bartlett wrote:

> On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
>> This link claims MS' PAC verification can require communication with
>> the DC:
>> Is this true? If so, services will not be able to authenticate nearly
>> as fast as they otherwise could.
> If you think that someone else (not root) has access to the local
> kerberos keytab (or the machine account password), then that user  
> could
> spoof their way to any (CIFS) user via the PAC, because they could  
> make
> up a fake one.  Similarly, as always with kerberos, they could change
> the principal in the ticket, etc.
> This can be worked around by validating the PAC to the KDC, but should
> be of concern to anyone who shares that keytab too broadly (eg with
> apache).
> On windows, I think a user could run a service, and unless the PAC was
> validated with the KDC, they could use their password to fake their  
> way
> down to another more privileged user.
> Andrew Bartlett
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the samba-technical mailing list