On Wed, 2008-08-27 at 12:23 -0700, Richard Guthrie wrote: > Andrew, > To verify the KDC signature, the keyed hash MUST be generated over the > version of the server signature received in the > KERB_VERIFY_PAC_REQUEST structure [MS-APDS] (section 2.2.2.1) using > the algorithm specified in the SignatureType field in the > KERB_VERIFY_PAC_REQUEST structure. The resulting hash is compared with > the KDC signature value in the Signature value field in the > KERB_VERIFY_PAC_REQUEST structure; if they match, the signature MUST > be considered valid.
Thankyou very much. This makes *much* more sense now (the subtle re-wording made me re-read our PAC implementation, and realise that the KDC checksum is over the sever checksum, not the whole PAC). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
