Hunting Netlogon PAC Validation
Andrew Bartlett
abartlet at samba.org
Wed Sep 3 05:36:51 GMT 2008
On Fri, 2008-08-29 at 15:08 +1000, Andrew Bartlett wrote:
> On Thu, 2008-08-28 at 23:00 +1000, Andrew Bartlett wrote:
> > I'm having trouble getting a trace of the Netlogon-based PAC validation.
> > It appears as a SamLogon call, using the Generic package.
> >
> > I can't get windows to produce this 'on demand', so I don't have a good
> > idea what the request should look like. The RPC-PAC test tries to
> > implement this call, but fails against Win2k3.
> >
> > If you get:
> >
> > The kerberos subsystem encountered a PAC verification failure. This
> > indicates that the PAC from the client mycomputer$
> > in realm TESTAD.TST had a PAC which failed to verify or was modified.
> > Contact your system administrator.
> >
> > In your logs often, then please apply this patch and send me the result
> > (it should just be two signed checksums in the blob).
>
> Naturally, I applied this locally and while I still can't reproduce on
> demand, the blob has appeared. I'm glad I saw it, because it turns out
> to be encrypted, but with that final clue I have a client implementation
> of this protocol.
The current Samba4 GIT tree (82fcd7941f5c54da2d994c8bd99dd8d86299a296)
now implements this on the client and server.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080903/ba0a3402/attachment.bin
More information about the samba-technical
mailing list