Cross realm S4U2Self cont.

Isaac Boukris iboukris at
Tue Aug 7 13:20:12 UTC 2018

On Mon, Aug 6, 2018 at 3:36 PM, Isaac Boukris <iboukris at> wrote:
> What I still wonder is, why does it seem to be a problem only with
> s4u2self, or is it really?
> Technically it sounds like it should happen with regular tickets too,
> so I'm trying to trigger it that way (and also, to see how can it be
> tested in samba).

So i've tested using a regular ticket for the same principal, acquired
with kinit and kvno with referrals, and there was no error.
A closer look seem to indicate that, in that case windows kdc do not
send transit list so the check is skipped (transited.contents.length
== 0), and only sends it in the s4u2self case.
Not that it changes much, but it feels like i'm missing something.

> As regarding my last comment about the same issue in samba KDC side,
> I'm not so sure actually, I'm trying to test this again now.
> However, I think I found another bug in samba KDC with transitive

Well, apart of that other bug, there is the same transit-check issue
on the kdc side, twice actually.
Attached prove-of-concept patch disables them both, and with it
transitive trust works both way.
Since it is not using gss, i think we'd need some kdc configuration
option to disable transit check unconditionally.
-------------- next part --------------
From 3a6f28e7daac7168eaf08687ac5eb8c80ddb8fef Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at>
Date: Tue, 7 Aug 2018 15:56:23 +0300
Subject: [PATCH] wip: kdc: disable transit check

Signed-off-by: Isaac Boukris <iboukris at>
 source4/heimdal/kdc/krb5tgs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index de46489c105..2ec75a04aeb 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -787,13 +787,13 @@ tgs_make_reply(krb5_context context,
-    ret = fix_transited_encoding(context, config,
-				 !f.disable_transited_check ||
+    ret = fix_transited_encoding(context, config, 0,
+				 /*!f.disable_transited_check ||
 				 &tgt->transited, &et,
 				 krb5_principal_get_realm(context, client_principal),
 				 krb5_principal_get_realm(context, server->entry.principal),
@@ -1280,6 +1280,8 @@ tgs_parse_request(krb5_context context,
 	verify_ap_req_flags = 0;
+    verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_NO_TRANSIT_CHECK;
     ret = krb5_verify_ap_req2(context,

More information about the samba-technical mailing list