On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote: > This link claims MS' PAC verification can require communication with > the DC: > > http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx > > Is this true? If so, services will not be able to authenticate nearly > as fast as they otherwise could. If you think that someone else (not root) has access to the local kerberos keytab (or the machine account password), then that user could spoof their way to any (CIFS) user via the PAC, because they could make up a fake one. Similarly, as always with kerberos, they could change the principal in the ticket, etc. This can be worked around by validating the PAC to the KDC, but should be of concern to anyone who shares that keytab too broadly (eg with apache). On windows, I think a user could run a service, and unless the PAC was validated with the KDC, they could use their password to fake their way down to another more privileged user. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part