Does PAC Validation Require External Communication?

Henry B. Hotz hotz at
Mon May 14 23:04:14 GMT 2007

On May 14, 2007, at 3:26 PM, Andrew Bartlett wrote:

> On Mon, 2007-05-14 at 15:21 -0700, Henry B. Hotz wrote:
>> As I understand it, if you have access to the server's keytab, then
>> in principle you can forge credentials for anyone, including non-
>> existent users (but only for that server).  What you suggest would
>> prevent someone faking the PAC data in a credential, and from
>> inventing a fake user, but they could still fake the credential.
>> In other words it wouldn't stop John Jones from presenting a fake
>> credential for Sam Smith that just happened to include the real PAC
>> data that Sam would have had if it were really Sam.
> The PAC includes another signature, with the KDC's private key.  This
> signature can validate that the service didn't fake a user to itself.

OK, good!

> Of course, if you hold the keytab for the machine account, you could
> also fake the signed and encrypted communication with the KDC to
> validate the PAC...

. . . but not perfect.  Still spoofing another live service is  
another barrier to an exploit.

More information about the samba-technical mailing list