Kerberos PAC info on MSDN Library

Luke Kenneth Casson Leighton lkcl at
Tue Feb 26 20:41:01 EST 2002

On Wed, Feb 27, 2002 at 10:17:06AM +1100, Luke Howard wrote:
> >lkcl> the samba tng project also actually contains
> >lkcl> more info (i.e. all of those "reserved" fields
> >lkcl> that's bullshit, they're well-known fields!)
> >lkcl> in some areas than is outlined in this microsoft
> >lkcl> document.
> >
> >Are these well-known fields that are claimed to be "reserved" in the
> >MS document actually required for proper functioning of a MS service?
 well ... yes!

 they contain the username, user's full name, kick-off time,
 last logon time, workstations from which the user is allowed
 to log on, logon hours range, etc. etc.

 okay, so it's not "proper" functioning but it is _useable_

 the difference is subtle and significant.

> I'm not sure whether the LSA retrieves these from the PAC or ignores
> them and retrieves them directly from Active Directory. Probably the
> former.

 *shrug*.  no clue, here.
 [i've not had resources for the last three years sufficient
 to continue research into NT domains.

 when i get money, i will do work.

 not until: i got ripped off once already with "free" software
 and i won't do it again.


> Luke Leighton's book on DCE/RPC and SMB contains a Network Monitor
> excerpt that reveals the NETLOGON_VALIDATION_SAM_INFO2 structure;
> this is layed out similarly to KERB_VALIADTION_INFO without the
> last three fields (no resource groups). The "reserved" fields are
> labelled. (I assume we can treat this as public information as
> it has been published in a book. :-))

 yes, you can.  freedom of speech and all that rubbish.

 different source etc.

 available outside of the united states etc.

 written by a non-us citizen etc.


this message is private, confidential, and is intented for
the specified recipients only.  if you received, altered,
deleted, modified, destroyed or interfered with the
contents of this message, in whole or in part, please
inform the sender (that's me), immediately.

if you, the recipient, reply to this message, and do not
then receive a response, please consider your reply to have
been lost or deliberately destroyed: i *always* acknowledge
personal email received.  please therefore take appropriate
action to ensure effective communication.

thank you.

More information about the krbdev mailing list