PAC parsing in Samba 4.1

Andrew Bartlett abartlet at
Mon Jul 29 21:13:20 MDT 2013

On Thu, 2013-07-25 at 20:08 +0100, Tris Mabbs wrote:
> Good day, one and all ...
> I just had to rebuild our main Samba server ("OpenSlowlaris" ->
> "Slowlaris 11.11"), during which I put the latest (at the time;
> currently 4.2.0pre1-GIT-b505111) Samba4 on there.  I thought that by
> now that Gunther's speculative changes to improve the PAC decode might
> have made their way into the trunk revision - obviously I was wrong,
> as I'm once again getting a load of "Can't parse the PAC:
> NT_STATUS_BUFFER_TOO_SMALL" messages and a user who can't access any
> Samba shares.
> Whoops ...
> So as we previously discussed looking into things in more detail
> (specifically finding out why there is no "client_principal" being
> passed into "kerberos_decode_pac()"), but nothing else ever happened,
> is there anything I can do to assist in getting the improved PAC
> decoding included into the trunk revision?  Whilst I can't guarantee
> immediate responses to any request, I'm quite happy to stick any code
> in anywhere you might want if you don't mind potentially waiting a day
> or so for the results :-)


What happened about your code here?  Can I merge your patch?

I see two branches in your git repo:;a=shortlog;h=refs/heads/master-krb5pac_type12;a=shortlog;h=refs/heads/master-krb5pac

Are either of these ready for merging?


If these are not ready, can we revert your change, as this is a
regression in 4.1 vs 4.0?

commit a6be8a97f705247c1b1cbb0595887d8924740a71
Author: Simo Sorce <idra at>
Date:   Thu Sep 27 14:12:06 2012 -0400

    Support UPN_DNS_INFO in the PAC
    Previously marked as UNKNOWN_12 the UPN_DNS_INFO is defined in
    Autobuild-User(master): Simo Sorce <idra at>
    Autobuild-Date(master): Fri Sep 28 01:13:44 CEST 2012 on


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Catalyst IT         

More information about the samba-technical mailing list