Reliably looking up user's group membership SIDs

Isaac Boukris iboukris at
Sat Mar 17 21:11:49 UTC 2018

On Thu, Mar 15, 2018 at 12:31 PM, Isaac Boukris <iboukris at> wrote:
> On Mon, Mar 12, 2018 at 9:39 PM, Stefan Metzmacher <metze at> wrote:
>>>> In addition it would be good to get the bug in Heimdal fixed, so that
>>>> we can at least have some minimal tests in Samba's autobuild.
> From packet capture, it seems Heimdal lacks the logic to locate the
> user's realm but instead tries to get the ticket directly from its own
> KDC (fails, with err-policy).
> This logic is detailed in MS-SFU (implemented in MIT code as
> s4u_identify_user()), doc:
> I think one step would be to enable canonicalization flag, in
> get_cred_kdc_referral() (or maybe in get_cred_kdc_capath()?).

FYI, I managed to get Heimdal S4U2Self to somehow work for a user from
child domain, really just a prove-of-concept, see:

The tricky part was, what realm to set in tgs request-body when
sending s4u request to kdc of child domain. If set to service realm
then it'd complain wrong-realm, while if set to impersonate realm
(child) then it say unknown-principal.
Then I looked at MIT code, they send the impersonate realm (kdc's)
along with the service converted to enterprise-name! so borrowed that
convert_to_enterprise() function and it worked (I wonder if it'll work
with an spn too).

More information about the samba-technical mailing list