Does PAC Validation Require External Communication?

Michael B Allen mba2000 at
Tue May 15 00:17:19 GMT 2007

On Tue, 15 May 2007 09:29:14 +1000
Andrew Bartlett <abartlet at> wrote:

> > > spoof their way to any (CIFS) user via the PAC, because they could make
> > > up a fake one.  Similarly, as always with kerberos, they could change
> > > the principal in the ticket, etc. 
> > > 
> > > This can be worked around by validating the PAC to the KDC, but should
> > > be of concern to anyone who shares that keytab too broadly (eg with
> > > apache). 
> > 
> > So exploring the Apache example a little more - if Apache loaded the
> > keytab as root when it initialized and stored it in an in-memory only
> > keytab so that workers didn't really have access to it
> You would need to *ensure* the workers didn't have access to it.  (ie,
> the GSSAPI authentication should go via a IPC mechanism.

Or one of the lower level Kerberos checksum verification routines. Sounds
more complicated than it's worth but definitely something to keep in mind.


More information about the samba-technical mailing list