Heimdal upgrade, really happening this time

Isaac Boukris iboukris at samba.org
Thu Jul 8 03:39:59 UTC 2021

+ list

On Tue, Jul 6, 2021 at 11:14 AM Stefan Metzmacher <metze at samba.org>
> We most likely also need to change some apis in order to generate PAC
ket checksums
> (Wireshark support is being added by Isaac and me, see
> and also for compound identity PACs when offering FAST.
> "wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
> https://github.com/heimdal/heimdal/pull/767
> might also be related here.

I took a look at PR 767 (which is related to bug 14642), I managed to
get a poc working, that is the kdc is now able to issue a minimal PAC
with all signatures even without hdb support, this would allow the
removal of KRB5SignedPath while keeping S4U2Proxy and its upstream
test working (we don't need delegation-info for that, and we can live
on the NDR boundary), I've updated the PR. Here is an example captured
from the upstream tests:

authorization-data: 1 item
    AuthorizationData item
        ad-type: aD-IF-RELEVANT (1)
            AuthorizationData item
                ad-type: aD-WIN2K-PAC (128)
                    Verified Server checksum 16 keytype 18 using
keytab principal host/datan.test.h5l.se at TEST.H5L.SE (id=3Dkeytab.1
same=3D0) (ce52810b...)
                    Verified KDC checksum 16 keytype 18 using keytab
principal krbtgt/TEST.H5L.SE at TEST.H5L.SE (id=3Dkeytab.27 same=3D0)
                    Verified Ticket checksum 16 keytype 18 using
keytab principal krbtgt/TEST.H5L.SE at TEST.H5L.SE (id=3Dkeytab.27
                    Num Entries: 4
                    Version: 0
                    Type: Client Info Type (10)
                    Type: Server Checksum (6)
                    Type: Privsvr Checksum (7)
                    Type: Ticket Checksum (16)

I'm still confuse about how '_kdc_pac_verify()' should look like, I
think samba might be picky about the kdc_key (mostly relevant to be
able to act as a DC along other Windows DCs in the same domain),
perhaps we should split the api as it is currently overloaded imo.

More information about the samba-technical mailing list