A question about S4U2Self with MIT KDC

Alexander Bokovoy ab at samba.org
Thu Feb 7 13:41:48 UTC 2019

On to, 07 helmi 2019, Isaac Boukris via samba-technical wrote:
> Thanks Alexander, I'm fine with adding the needed API, I was mainly
> trying to convince my self that it is necessary.
> But I don't agree that the MS-SFU is clear :)
Oh, I didn't say it is all that clear, just the pieces commented.

> On Thu, Feb 7, 2019 at 1:49 PM Alexander Bokovoy <ab at samba.org> wrote:
> >
> > is clear:
> >
> > -----
> >
> > If the KDC supports the Privilege Attribute Certificate Data Structure
> > [MS-PAC], the KDC, when populating the KERB_VALIDATION_INFO Structure
> > ([MS-KILE] section, MUST NOT include the
> > in the ExtraSids field and SHOULD add the
> >
> > -----
> This doesn't say anything on verifying the original PAC.
It does (3.2.5, above all the cases):


If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], the SFU KDC MUST
copy the populated fields from the PAC in the TGT to the newly created PAC and, after processing all
fields it supports, the SFU KDC MUST generate a new Server Signature ([MS-KILE], section and KDC Signature ([MS-KILE], section which replace the existing signature
fields in the PAC, as discussed in the sections that follow.


> This one is when the impersonate principal is not from local realm, so
> a referral TGT was received that contains the PAC of the impersonate
> client - which is copied to the ticket, so of course it should be
> verified.
> > So I think the end result is that verification of PAC has to happen for
> > both in-realm and cross-realm operations. MS-KILE and MS-SFU are written
> > in a such way that non-AD implementations are allowed to get away with
> > no MS-PAC tickets but AD itself assumes always producing MS-PAC in the
> > tickets and thus performing verification of its content.
> Actually Windows KDC does not always requires the PAC, if I issue a
> very similar kvno command but not involving protocol-transition, then
> it works ok without PAC:
> $ echo -n pwd | kinit apache at ACME.COM --no-request-pac && kvno apache at ACME.COM
I think for all services that are host-based you need PAC.

/ Alexander Bokovoy

More information about the samba-technical mailing list