[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does PAC Validation Require External Communication?

On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote:
> This link claims MS' PAC verification can require communication with
> the DC:
> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx
> Is this true? If so, services will not be able to authenticate nearly
> as fast as they otherwise could.

If you think that someone else (not root) has access to the local
kerberos keytab (or the machine account password), then that user could
spoof their way to any (CIFS) user via the PAC, because they could make
up a fake one.  Similarly, as always with kerberos, they could change
the principal in the ticket, etc. 

This can be worked around by validating the PAC to the KDC, but should
be of concern to anyone who shares that keytab too broadly (eg with

On windows, I think a user could run a service, and unless the PAC was
validated with the KDC, they could use their password to fake their way
down to another more privileged user. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part