Hunting Netlogon PAC Validation

Andrew Bartlett abartlet at
Wed Sep 3 05:36:51 GMT 2008

On Fri, 2008-08-29 at 15:08 +1000, Andrew Bartlett wrote:
> On Thu, 2008-08-28 at 23:00 +1000, Andrew Bartlett wrote:
> > I'm having trouble getting a trace of the Netlogon-based PAC validation.
> > It appears as a SamLogon call, using the Generic package.
> > 
> > I can't get windows to produce this 'on demand', so I don't have a good
> > idea what the request should look like.  The RPC-PAC test tries to
> > implement this call, but fails against Win2k3.
> > 
> > If you get:
> > 
> > The kerberos subsystem encountered a PAC verification failure.  This
> > indicates that the PAC from the client mycomputer$ 
> > in realm TESTAD.TST had a PAC which failed to verify or was modified.
> > Contact your system administrator.
> > 
> > In your logs often, then please apply this patch and send me the result
> > (it should just be two signed checksums in the blob). 
> Naturally, I applied this locally and while I still can't reproduce on
> demand, the blob has appeared.  I'm glad I saw it, because it turns out
> to be encrypted, but with that final clue I have a client implementation
> of this protocol.

The current Samba4 GIT tree (82fcd7941f5c54da2d994c8bd99dd8d86299a296)
now implements this on the client and server.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list