I've written to dochelp looking for the docs or details on any changes made here.
It follows on from bug 15231 that the NETLOGON server validation of a PAC via SamLogonEx and NetlogonGenericInformation with package "Kerberos" will need to be extended to cover the full pac, checking the full PAC signature. There are now new APIs on NETLOGON that Samba should implement. This isn't a Samba DC side issue, it is about avoiding security issues on the Windows client.
My development branch with some tests: https://gitlab.com/samba-team/devel/samba/-/commits/jsutton24/pac-verify There is also a conversation with dochelp: https://lists.samba.org/archive/cifs-protocol/2024-August/004374.html Some of it took place off‐list.
Actually, more up‐to‐date tests are in this other branch: https://gitlab.com/samba-team/devel/samba/-/commits/jsutton24/gmsa-9
(In reply to Jennifer Sutton from comment #5) I took some of your stuff and modified it to get useful idl and a very basic tests that works against Windows 2022 and 2025 preview. See https://gitlab.com/samba-team/samba/-/merge_requests/3878 Note I only tried enough to check if application level encryption should be added to netlogon_creds_crypt_samlogon_logon and netlogon_creds_crypt_samlogon_validation, but the answer is no...