[krbdev.mit.edu #7646] PAC checksum verification failed with enterprise principals
Sumit Bose via RT
rt-comment at krbdev.mit.edu
Fri May 24 16:15:36 EDT 2013
Hi,
when using enterprise principals with Active Directory PAC verification
fails with the trace message "PAC checksum verification failed: -1765328250/Principal
user at EXAMPLE.COM has realm present".
I think the reason is that in k5_pac_validate_client() it is assume that
the KRB5_PAC_CLIENT_INFO buffer contains only a user name and no realm
component (KRB5_PRINCIPAL_PARSE_NO_REALM flag for
krb5_parse_name_flags()). Section 3.3.5.4.2.2 of the MS-KILE document
says that the cname should be used in the KRB5_PAC_CLIENT_INFO buffer.
But when using enterprise principals the cname includes a realm part.
It would be nice if k5_pac_validate_client() can be enhanced to handle
enterprise principals as well, because they are important in AD
envirionments with trusts and addtional domain suffixes.
bye,
Sumit
More information about the krb5-bugs
mailing list