Cross realm S4U2Self cont.

Stefan Metzmacher metze at
Fri Aug 3 14:33:51 UTC 2018

Hi Isaac,

I'm currently too busy to deeply follow your work, sorry!
I hope I got the chance in the next weeks...

> Note that unlike what I said initially, transitive trust still does
> not work (only direct trust). I thought it worked when I was testing
> with kgetcred against windows but when I try to actually accept the
> ticket by the service, it fails at krb5_check_transited(). Also, there
> seem to be the same issue on the KDC side when Samba KDC is in a the
> trust path.

Have a look at this thread:

We need to get something like this:
in order to disable the check.

Which can be used if the application requires a validated PAC.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list