Does PAC Validation Require External Communication?

Michael B Allen mba2000 at
Mon May 14 23:24:40 GMT 2007

On Tue, 15 May 2007 07:59:40 +1000
Andrew Bartlett <abartlet at> wrote:

> On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> > This link claims MS' PAC verification can require communication with
> > the DC:
> > 
> >
> > 
> > Is this true? If so, services will not be able to authenticate nearly
> > as fast as they otherwise could.
> If you think that someone else (not root) has access to the local
> kerberos keytab (or the machine account password), then that user could
> spoof their way to any (CIFS) user via the PAC, because they could make
> up a fake one.  Similarly, as always with kerberos, they could change
> the principal in the ticket, etc. 
> This can be worked around by validating the PAC to the KDC, but should
> be of concern to anyone who shares that keytab too broadly (eg with
> apache). 
> On windows, I think a user could run a service, and unless the PAC was
> validated with the KDC, they could use their password to fake their way
> down to another more privileged user. 

Hi Andrew,

So exploring the Apache example a little more - if Apache loaded the
keytab as root when it initialized and stored it in an in-memory only
keytab so that workers didn't really have access to it, the KDC checksum
wouldn't really need to be validated and no communication with the KDC
would be necessary?


More information about the samba-technical mailing list