Hunting Netlogon PAC Validation
Andrew Bartlett
abartlet at samba.org
Fri Aug 29 05:08:26 GMT 2008
On Thu, 2008-08-28 at 23:00 +1000, Andrew Bartlett wrote:
> I'm having trouble getting a trace of the Netlogon-based PAC validation.
> It appears as a SamLogon call, using the Generic package.
>
> I can't get windows to produce this 'on demand', so I don't have a good
> idea what the request should look like. The RPC-PAC test tries to
> implement this call, but fails against Win2k3.
>
> If you get:
>
> The kerberos subsystem encountered a PAC verification failure. This
> indicates that the PAC from the client mycomputer$
> in realm TESTAD.TST had a PAC which failed to verify or was modified.
> Contact your system administrator.
>
> In your logs often, then please apply this patch and send me the result
> (it should just be two signed checksums in the blob).
Naturally, I applied this locally and while I still can't reproduce on
demand, the blob has appeared. I'm glad I saw it, because it turns out
to be encrypted, but with that final clue I have a client implementation
of this protocol.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080829/4a98bff0/attachment.bin
More information about the samba-technical
mailing list