PAC Validation

Andrew Bartlett abartlet at
Tue Jun 28 05:41:02 EDT 2005

On Tue, 2005-06-28 at 19:20 +1000, Andrew Bartlett wrote:
> In my work on Samba4, I'm trying to actually handle the kerberos PAC
> (compared with Samba3 approach of ignoring the problem).
> As such, I'm trying to both parse the PAC (reasonably easy, with Samba's
> NDR layer), and to validate the signatures.  
> Has anybody on this list actually managed to follow the specification
> Microsoft published, using the MIT Kerberos API?  I'm particularly
> interested in public code I can just reference, but I'll take hits as
> well :-)
> In my attempts so far, I've extended Heimdal's kerberos and GSSAPI, but
> I've not yet made it work.

It always happens this way - as soon as you write the mail, you try one
more thing...  I now have the PAC validation working.  It is a bit of a
cludge at this point, but I will document it for a tutorial I'm giving
at the CIFS conference in August.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list