Andrew, Thank you for the information. We will re-evaluate this issue and provide you with a response shortly. I would like to request a network capture along with a NDR dump of the packet containing the PAC as you have described to help understand the behavior you are seeing. Also if you can provide the version of OS for the server it would be helpful.
Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, October 20, 2008 4:26 PM To: Richard Guthrie Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How to validate the PAC in NETLOGON SRX080918600905 On Mon, 2008-10-20 at 11:39 -0700, Richard Guthrie wrote: > Andrew, > > I wanted to follow up on your request to add the sentence 'because the > client has already validated the server signature over the whole PAC, > and because the KDC signature if calculated over the server signature, > it is sufficient to send only the server signature to the NETLOGON > server' to the MS-PAC documentation. We feel that the addition of > your suggested sentence is not accurate for the Microsoft > implementation of MS-PAC. As per the documentation there must be 2 > signatures included in the PAC_INFO_BUFFER structure. This is defined > in sections 2.4 and 2.8 with respect to the ulType field. There must > be both type 0x00000006 and type 0x00000007 signatures present for PAC > structure validation to succeed. Sure, but you don't send both to the NETLOGON server. As such, you need to explain why this is valid. Given the love of MUST in this documentation set, perhaps: The client MUST already validated the server signature over the whole PAC, and because the KDC signature if calculated over the server signature, it is sufficient to send only the server signature to the NETLOGON server for validation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
