Delegation of authentication (S4U) and SAMBA
Ephi.Dror at datadomain.com
Wed Feb 13 17:51:44 GMT 2008
Does samba support the use of S4U?
What do we need to configure in SAMBA or krb5 to support getting a
ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1
We are getting the following error:
decode_pac_data: Name in PAC [username at something1.something2.realmname]
does not match principal name in ticket
The ticket could be different than the PAC name because the ticket was
obtained using S4U extension.
Any help will be really appreciated.
Kerberos' ability to support delegation is a consequence of its unique
ticketing mechanism. When sending a ticket to a server, the Kerberos
client can add additional information to it so the server can reuse it
to request other tickets on the user's behalf to the Kerberos KDC
More information about the samba-technical