PAC Validation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PAC Validation

Andrew Bartlett
In my work on Samba4, I'm trying to actually handle the kerberos PAC
(compared with Samba3 approach of ignoring the problem).

As such, I'm trying to both parse the PAC (reasonably easy, with Samba's
NDR layer), and to validate the signatures.  

Has anybody on this list actually managed to follow the specification
Microsoft published, using the MIT Kerberos API?  I'm particularly
interested in public code I can just reference, but I'll take hits as
well :-)

In my attempts so far, I've extended Heimdal's kerberos and GSSAPI, but
I've not yet made it work.

Thanks,

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PAC Validation

Andrew Bartlett
On Tue, 2005-06-28 at 19:20 +1000, Andrew Bartlett wrote:

> In my work on Samba4, I'm trying to actually handle the kerberos PAC
> (compared with Samba3 approach of ignoring the problem).
>
> As such, I'm trying to both parse the PAC (reasonably easy, with Samba's
> NDR layer), and to validate the signatures.  
>
> Has anybody on this list actually managed to follow the specification
> Microsoft published, using the MIT Kerberos API?  I'm particularly
> interested in public code I can just reference, but I'll take hits as
> well :-)
>
> In my attempts so far, I've extended Heimdal's kerberos and GSSAPI, but
> I've not yet made it work.
It always happens this way - as soon as you write the mail, you try one
more thing...  I now have the PAC validation working.  It is a bit of a
cludge at this point, but I will document it for a tutorial I'm giving
at the CIFS conference in August.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment