Hunting Netlogon PAC Validation

Andrew Bartlett abartlet at
Fri Aug 29 05:08:26 GMT 2008

On Thu, 2008-08-28 at 23:00 +1000, Andrew Bartlett wrote:
> I'm having trouble getting a trace of the Netlogon-based PAC validation.
> It appears as a SamLogon call, using the Generic package.
> I can't get windows to produce this 'on demand', so I don't have a good
> idea what the request should look like.  The RPC-PAC test tries to
> implement this call, but fails against Win2k3.
> If you get:
> The kerberos subsystem encountered a PAC verification failure.  This
> indicates that the PAC from the client mycomputer$ 
> in realm TESTAD.TST had a PAC which failed to verify or was modified.
> Contact your system administrator.
> In your logs often, then please apply this patch and send me the result
> (it should just be two signed checksums in the blob). 

Naturally, I applied this locally and while I still can't reproduce on
demand, the blob has appeared.  I'm glad I saw it, because it turns out
to be encrypted, but with that final clue I have a client implementation
of this protocol.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list