Delegation configuration help.

chinni naveenkiitr at
Tue Mar 8 03:22:42 MST 2011

Hi Samba Team,

           I configured delegation in w2k3 server for the cifs service for
custom domain account. From the front end server which is a linux centos box
connects to the back end server which is w2k3 server with AD installed. So
from the centos box when I get the service ticket for the User X on behalf
of the delegated user Y (user y gets the ticket for userx ) and sending the
same ticket to the server , the server replies with the

           I am using heimdal code for sending AP-REQ and TGS-REQ. The
service ticket in the TGS-REP has the ticket in which client name is User X.
But the ticket is encrypted using User Y password hash. So the application
server cannot able to decrypt the ticket (this is why the AP_ERR_MODIFIED
results). I need help in this, what configuration need to be made in the
linux box  as well as in the w2k3 server so that I can get over from this
error. Or else how can we make application server to take domain account
password to decrypt the ticket rather than taking machine account password.

           The linux box is joined in to the domain and I can ping using
FQDN successfully. Now in the TGS-REQ, there is a PA-S4U2self in which the
user X and the checksum is encapsulated along with the PA-TGS-REQ. The flags
for the TGS-REQ is forward-able, constrained delegation, canonicalize.
Service ticket flags are forwardable and pre-auth. finally AD and the
application server are on the same machine.

My sps's for the domain account user

           setspn -a cifs/  \
           setspn -a cifs/  \

Please help me how to over come this.



View this message in context:
Sent from the Samba - samba-technical mailing list archive at

More information about the samba-technical mailing list