It turns out that the Netlogon PAC verification is encrypted.

This test now passes against Win2k3, and a implementation in the
Samba4 server should follow shortly.

Andrew Bartlett
(This used to be commit c6b8ba893dd3ed90bca32c0ae89fd33be729c238)

2 files changed, 9 insertions, 2 deletions

diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 699f0b896b..dcee280150 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -100,8 +100,10 @@ interface krb5pac
 		PAC_BUFFER_RAW buffers[num_buffers];
 	} PAC_DATA_RAW;
 
+	const int NETLOGON_GENERIC_KRB5_PAC_VALIDATE = 3;
+
 	typedef [public] struct {
-		uint32 MessageType;
+		[value(NETLOGON_GENERIC_KRB5_PAC_VALIDATE)] uint32 MessageType;
 		uint32 ChecksumLength;
 		uint32 SignatureType;
 		uint32 SignatureLength;
diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl
index 006411dfbf..2298106851 100644
--- a/source4/librpc/idl/netlogon.idl
+++ b/source4/librpc/idl/netlogon.idl
@@ -240,6 +240,11 @@ interface netlogon
 		lsa_String unknown4;
 	} netr_PacInfo;
 
+	typedef [flag(NDR_PAHEX)] struct {
+		uint32 length;
+		[size_is(length)] uint8 *data;
+	} netr_GenericInfo2;
+
 	typedef enum {
 		NetlogonValidationUasInfo = 1,
 		NetlogonValidationSamInfo = 2,
@@ -252,7 +257,7 @@ interface netlogon
 		[case(NetlogonValidationSamInfo)] netr_SamInfo2 *sam2;
 		[case(NetlogonValidationSamInfo2)] netr_SamInfo3 *sam3;
 		[case(4)] netr_PacInfo  *pac;
-		[case(NetlogonValidationGenericInfo2)] netr_PacInfo  *pac;
+		[case(NetlogonValidationGenericInfo2)] netr_GenericInfo2  *generic;
 		[case(NetlogonValidationSamInfo4)] netr_SamInfo6 *sam6;
 	} netr_Validation;