Clarification on MS-PAC KERB_VALIDATION_INFO and Samba's implementation regarding UserFlags

Osipov, Michael (IN IT IN) michael.osipov at innomotics.com
Mon Sep 30 13:49:37 UTC 2024


Hi folks,

I seek guidance from you experts on the following case whether Samba's 
implementation and your understanding adheres to the specs off MS-PAC:
I have moved a server from one forest to another last weekend while the 
actual users remained in the old forest. The server runs Samba 4.16 ATM, 
but also also custom software written in Java utilizing the MS-PAC from 
the service ticket.

While processing the PAC from one specific user the KERB_VALIDATION_INFO 
failed to be parsed because ExtraSids pointer is set to NULL, but 
UserFlags has flag D set. The domain controller issued that ticket is 
Windows Server 2019 Standard running on 
domainFunctionality/forestFunctionality 6 and 
domainControllerFunctionality 7.
Now re-reading [1] it says that if flags D/H are set the appropriate 
pointers must not be NULL. Something does not add up for me here.

In Samba code the NETLOGON_EXTRA_SIDS [2] is always added regardless 
group_sids_to_info3() may actually not add any extra SIDs [3]. On the 
contrary, this code [4] does set this flag only if any extra SIDs are 
available, so does this test code [5]. Especially according to [5] my 
KERB_VALIDATION_INFO case is expected to fail.

My question is now: How to properly understand the 
ExtraSids/ResourceGroupDomainSid/ResourceGroupIds when those are NULL, 
can the flags still be set? If those are non NULL, the flags MUST be set 
for sure.

I can provide the dump and a parsed view from the dump privately before 
and after the server migration.

My actual fix for the problem is here [6] and the issue for it here [7]

Best regards,

Michael

[1] 
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/69e86ccc-85e3-41b9-b514-7d969cd0ed73
[2] 
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/source3/auth/server_info.c#L613C27-L613C46
[3] 
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/source3/auth/server_info.c#L252-L254
[4] 
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/auth/auth_sam_reply.c#L399-L404
[5] 
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/python/samba/tests/krb5/raw_testcase.py#L4195-L4214
[6] https://github.com/michael-o/tomcatspnegoad/pull/24
[7] https://github.com/michael-o/tomcatspnegoad/issues/23



More information about the samba-technical mailing list