Does PAC Validation Require External Communication?

Andrew Bartlett abartlet at
Tue May 15 01:27:48 GMT 2007

On Mon, 2007-05-14 at 20:17 -0400, Michael B Allen wrote:
> On Tue, 15 May 2007 09:29:14 +1000
> Andrew Bartlett <abartlet at> wrote:
> > > > spoof their way to any (CIFS) user via the PAC, because they could make
> > > > up a fake one.  Similarly, as always with kerberos, they could change
> > > > the principal in the ticket, etc. 
> > > > 
> > > > This can be worked around by validating the PAC to the KDC, but should
> > > > be of concern to anyone who shares that keytab too broadly (eg with
> > > > apache). 
> > > 
> > > So exploring the Apache example a little more - if Apache loaded the
> > > keytab as root when it initialized and stored it in an in-memory only
> > > keytab so that workers didn't really have access to it
> > 
> > You would need to *ensure* the workers didn't have access to it.  (ie,
> > the GSSAPI authentication should go via a IPC mechanism.
> Or one of the lower level Kerberos checksum verification routines. Sounds
> more complicated than it's worth but definitely something to keep in mind.

One of the advantages of the work that Love has done to put the PAC
validation into the kerberos library is that we could potentially
seperate all kerberos processing into a locked-down selinux-protected
special user.  Then the various system tools wanting to do kerberos
would not need the long-term keys, but could still get stuff like the
PAC back, validated.

Likewise, I think a similar tool (achieving the same ideas as the
winbind kinit integration, possibly such as kcm?) could handle all the
kerberos, keeping the user's TGT away from the desktop apps. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list