Delegation configuration help.

Narendra Kumar S.S ssnkumar at
Tue Mar 8 22:56:25 MST 2011


    I don't know if the delegation functionality of Samba really works.
    I had also faced similar problems and still it is not resolved.

    It will be of great help, if somebody for Samba team clarifies regarding
    1. Does delegation functionality works as expected?
    2. Has anybody used this or atleast tested this before?
    3. Is there any limitation for using this?
    4. Do we need to do any hack to get this working?

    Hope somebody can answer these questions.

Warm Regards,

Visit my blogs at:
   ___    ___    __    _
  /  __/  /  __/  /     | / /
_\   \   _ \   \   /   /| |/ /
\___/ \___/   /_/ |__/

On Tue, Mar 8, 2011 at 3:52 PM, chinni <naveenkiitr at> wrote:

> Hi Samba Team,
>           I configured delegation in w2k3 server for the cifs service for
> custom domain account. From the front end server which is a linux centos
> box
> connects to the back end server which is w2k3 server with AD installed. So
> from the centos box when I get the service ticket for the User X on behalf
> of the delegated user Y (user y gets the ticket for userx ) and sending the
> same ticket to the server , the server replies with the
>           I am using heimdal code for sending AP-REQ and TGS-REQ. The
> service ticket in the TGS-REP has the ticket in which client name is User
> X.
> But the ticket is encrypted using User Y password hash. So the application
> server cannot able to decrypt the ticket (this is why the AP_ERR_MODIFIED
> results). I need help in this, what configuration need to be made in the
> linux box  as well as in the w2k3 server so that I can get over from this
> error. Or else how can we make application server to take domain account
> password to decrypt the ticket rather than taking machine account password.
>           The linux box is joined in to the domain and I can ping using
> FQDN successfully. Now in the TGS-REQ, there is a PA-S4U2self in which the
> user X and the checksum is encapsulated along with the PA-TGS-REQ. The
> flags
> for the TGS-REQ is forward-able, constrained delegation, canonicalize.
> Service ticket flags are forwardable and pre-auth. finally AD and the
> application server are on the same machine.
> My sps's for the domain account user
>           setspn -a cifs/  \
>           setspn -a cifs/  \
> Please help me how to over come this.
> Thanks,
> chinni
> --
> View this message in context:
> Sent from the Samba - samba-technical mailing list archive at

More information about the samba-technical mailing list