Ticket History #7646: PAC checksum verification failed with enterprise principals

Hi,

when using enterprise principals with Active Directory PAC verification
fails with the trace message "PAC checksum verification failed: -1765328250/Principal
user@EXAMPLE.COM has realm present".

I think the reason is that in k5_pac_validate_client() it is assume that
the KRB5_PAC_CLIENT_INFO buffer contains only a user name and no realm
component (KRB5_PRINCIPAL_PARSE_NO_REALM flag for
krb5_parse_name_flags()). Section 3.3.5.4.2.2 of the MS-KILE document
says that the cname should be used in the KRB5_PAC_CLIENT_INFO buffer.
But when using enterprise principals the cname includes a realm part.

It would be nice if k5_pac_validate_client() can be enhanced to handle
enterprise principals as well, because they are important in AD
envirionments with trusts and addtional domain suffixes.

bye,
Sumit

On Sat, May 25, 2013 at 10:56:28AM -0400, Greg Hudson via RT wrote:

yes, I think this would work, but only on clients where default_realm is
set in /etc/krb5.conf.


Yes I thought so too. But since the client principal from the Kerberos ticket is
an enterprise principal as well (principal argument to
k5_pac_validate_client is of type KRB5_NT_ENTERPRISE_PRINCIPAL) and the
PAC-CLIENT-INFO buffer should be used to verify that PAC and client of
the ticket matches, I think it makes sense that cname form the
enterprise principal is used here.

bye,
Sumit

On Mon, May 27, 2013 at 12:56:50PM -0400, Greg Hudson via RT wrote:

Sorry, but I think I used enterprise principals wrong and there is no
issue at all. I was under the assumption that the canonicalize flag is
automatically set when enterprise principals are use but this is
obviously not the case. If set everything is working as expected.

I think the ticket can be closed.