On Mon, 2008-10-20 at 11:39 -0700, Richard Guthrie wrote: > Andrew, > > I wanted to follow up on your request to add the sentence 'because the > client has already validated the server signature over the whole PAC, > and because the KDC signature if calculated over the server signature, > it is sufficient to send only the server signature to the NETLOGON > server' to the MS-PAC documentation. We feel that the addition of > your suggested sentence is not accurate for the Microsoft > implementation of MS-PAC. As per the documentation there must be 2 > signatures included in the PAC_INFO_BUFFER structure. This is defined > in sections 2.4 and 2.8 with respect to the ulType field. There must > be both type 0x00000006 and type 0x00000007 signatures present for PAC > structure validation to succeed.
Sure, but you don't send both to the NETLOGON server. As such, you need to explain why this is valid. Given the love of MUST in this documentation set, perhaps: The client MUST already validated the server signature over the whole PAC, and because the KDC signature if calculated over the server signature, it is sufficient to send only the server signature to the NETLOGON server for validation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
