PAC Ticket signature in Heimdal

Andrew Bartlett abartlet at
Thu Jul 29 04:55:10 UTC 2021

On Sun, 2021-07-11 at 16:20 +0300, Isaac Boukris via samba-technical
> Hi Metze,
> > > We most likely also need to change some apis in order to generate
> PAC Ticket checksums
> > > (Wireshark support is being added by Isaac and me, see
> > > and also for compound identity PACs when offering FAST.
> > > "wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
> > >
> > > might also be related here.
> > 
> > I took a look at PR 767 (which is related to bug 14642), I managed
> > to
> > get a poc working, that is the kdc is now able to issue a minimal
> > PAC
> > with all signatures even without hdb support, this would allow the
> > removal of KRB5SignedPath while keeping S4U2Proxy and its upstream
> > test working (we don't need delegation-info for that, and we can
> > live
> > on the NDR boundary), I've updated the PR.
> Looking at '_kdc_pac_verify' (aka 'samba_wdc_reget_pac'), which is
> called after the kdc checked the server signature, I think it
> currently
> does three things, first it checks if the krbtgt is in db to know
> whether we can check the kdc signature, if so it then (second)
> fetches
> the right key by the checksum-type to check the signature, and then
> (third) it update PAC buffers  such as logon-info and delegation-info
> (at which point the server signature can no longer be verified..).

Thanks for asking about this.  I look with a bit of horror on some of
my code there, a little of it makes no sense.  If we have been given a
HDB entry in 'krbtgt' for example, we know it is in the DB and we did
just use that to decrypt the ticket, I hope!

> I wonder if we can implement one and two in the KDC and change
> '_kdc_pac_verify' to something like '_kdc_update_pac', see the PR
> changes how I'm trying to implement it.

I think so.  At the time of initial development verifying the PAC was
out of scope for Heimdal, now it very much looks like we are doing
double-work.  The main extra thing gained seems to be that we verify
the krbtgt signature, not the server one (which matters if you are
checking an evidence ticket against a 'bronze bit' attack).

> For one, that is checking if a kdc from our realm issued the ticket,
> I
> compare the header realm with the requested server realm, and given
> samba should virtually always canonicalize the realm, I think this
> check is good enough (this is similar to what we did in MIT with
> KRB5_KDB_FLAG_CROSS_REALM), and I think this test helps my case:
> Implementing two is simple enough, we fetch the right krbtgt key by
> the
> checksum type, like samba does (note that this doesn't solve the kvno
> problem..).

The main thing is to allow Samba to get to the krbtgt DB entry in the
update_pac to allow it to know it needs to do a PAC rebuild when
upgrading from an RODC.   I don't think it should be doing crypto on
the PAC, leave that to Heimdal now.

The check would be with the key read from the KVNO (the RODC one) and
the re-sign would be with the current krbtgt key.  This is the
difference between krbtgt_check_key and krbtgt_sign_key.  I think you
get this right.

> Do you think this can work? Any further thoughts on this matter?

I've looked over the branch a few times and I think it is OK, but we
should work on a combined patch for Samba and Heimdal and think how the
two should best interact.

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list