Reliably looking up user's group membership SIDs

Isaac Boukris iboukris at
Thu Mar 15 10:31:54 UTC 2018

Hi Stefan,

On Mon, Mar 12, 2018 at 9:39 PM, Stefan Metzmacher <metze at> wrote:
> Hi Issac,
>>> Can you follow up on that discussion with MIT and get this fixed in any
>>> of the possible ways?
>> Sure, I'll do a PR with your patch and reference this thread.
>> I'm not sure I could add a test in MIT, as I can't find a way to get
>> the returned pac-principal with an '@' sign.
> Thanks! Can you check if they need some kind of bug report
> in order to backport the fix to older releases?

Done, see:

>>> In addition it would be good to get the bug in Heimdal fixed, so that
>>> we can at least have some minimal tests in Samba's autobuild.

>From packet capture, it seems Heimdal lacks the logic to locate the
user's realm but instead tries to get the ticket directly from its own
KDC (fails, with err-policy).
This logic is detailed in MS-SFU (implemented in MIT code as
s4u_identify_user()), doc:

I think one step would be to enable canonicalization flag, in
get_cred_kdc_referral() (or maybe in get_cred_kdc_capath()?).
If you got some insights on how to fix it in Heimdal, I'd love to hear.

Thanks and regards.

More information about the samba-technical mailing list