[cifs-protocol] Kerberos Constrained-Delegation in RODC environment

Isaac Boukris iboukris at gmail.com
Tue Aug 10 14:09:22 UTC 2021

Hello dochelp!

I've been running some S4U tests in a RODC environment against fully
updated Windows KDCs (supporting pac-ticket-signature). I noticed the
following behavior when making a S4U2Proxy request to a RWDC, using a
TGT and/or a 2nd ticket that was issued by a RODC (attached packet
capture and keytab).

TGT | 2nd-ticket | kdc | result
rwdc | rwdc | rwdc | works
rwdc | rodc | rwdc | err-modified?
rodc | rwdc | rwdc | works!
rodc | rodc | rwdc | works!

You'd notice that test 3 and 4 both work, meaning the 2nd ticket can
be issued by either a RWDC or a RODC, I guess the KDC checks the
RODCIdentifier in the KDC PAC signatures (MS-PAC 2.8
PAC_SIGNATURE_DATA) in order to know what key to use to to verify the
signature, but it isn't clearly documented afaict.

What I wonder about is test 2, this test uses a normal TGT with a 2nd
ticket issued by a RODC, and we make the request against the RWDC,
which knows the rodc-krbtgt_46673 key with which the pac-ticket was
signed, so why does it fail with err-modified? Why is it worse than
test 4 where both the TGT and the 2nd ticket were issued by RODC and
it still works? And where is this error path documented (or should

-------------- next part --------------
A non-text attachment was scrubbed...
Name: s4u2proxy_rodc_env_win2012.pcapng
Type: application/x-pcapng
Size: 35844 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20210810/2e6d45f1/s4u2proxy_rodc_env_win2012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: acme_samba.kt
Type: text/x-kotlin
Size: 1671 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20210810/2e6d45f1/acme_samba.bin>

More information about the cifs-protocol mailing list