Cross realm S4U2Self patches rebased on import-lorikeet-heimdal branch

Isaac Boukris iboukris at
Mon Sep 24 08:13:16 UTC 2018

Hi Andrew,

On github PR #204, Isaac Boukris wrote:
> I've rebased my work on top of (most commits from heimdal's PR #403 applied cleanly):
> Note, with new heimdal I somehow get the transitive-check errors which I previously only had with transitive trust (with a child domain involved).
> See this intringin error below:
> Kerberos: TGS-REQ DC7$@SAMBA2008R2.EXAMPLE.COM from ipv4: for HOST/ at SAMBA2008R2.EXAMPLE.COM [canonicalize, renewable, forwardable]
> Kerberos: s4u2self DC7$@SAMBA2008R2.EXAMPLE.COM impersonating Administrator at ADDOM.SAMBA.EXAMPLE.COM to service HOST/ at SAMBA2008R2.EXAMPLE.COM
> Kerberos: cross-realm SAMBA2008R2.EXAMPLE.COM -> SAMBA2008R2.EXAMPLE.COM: no transit allowed through realm ADDOM.SAMBA.EXAMPLE.COM from SAMBA2008R2.EXAMPLE.COM to SAMBA2008R2.EXAMPLE.COM

I think I figured this error, see attached possible patch which I want
to submit heimdal upstream (and to replace with it, the
transitive-trust poc commits).
I had hoped it would solve other transit errors I've seen before my
changes, but alas it hadn't (these seem related to netbios and lower

> I'll look into it tomorrow, but meanwhile I applied the POC commits I had for transitive trust, and with it the cross-realm s4u2self new test pass.
> # make test TESTS=samba4.blackbox.kinit_trust FAIL_IMMEDIATELY=1 SAMBA_OPTIONS="-d3"
> Pipeline still running, but I guess there would be some failures:

The pipeline failed many krb5 torture tests, I'm looking around to see
if I can figure out something, and mainly if my changes have
introduced new errors.

I think one significant change in cross realm client code between the
two version, is the order of capath vs referral in
_krb5_get_cred_kdc_any() which has changed (likely to break some
torture expectations).

> I've submitted a wip gitlab merge request with the changes against master which are more stable, but the logic is the same:

btw, I've also started a discussion on krbdev mailing list about
what's missing upstream to support xrealm S4U2Self with MIT backend (I
hope to submit PRs soon):

-------------- next part --------------
From 0e3bb2c1f9f475e46f75ea6c990b490021cfbfbb Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at>
Date: Mon, 24 Sep 2018 10:31:25 +0300
Subject: [PATCH] heimdal: kdc: fix transit check error in cross realm s4u2self

If the client and server realm are the same, then even if
the realm of presented tgt is different, it is still not
a transit realm (this happens in cross-realm s4u2self).

Note, this worked before the change to check against tgt
realm instead of our kdc realm, upstream heimdal commit:

Signed-off-by: Isaac Boukris <iboukris at>
 source4/heimdal/kdc/krb5tgs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index ba09f9b237f..1981abcef87 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -767,7 +767,8 @@ fix_transited_encoding(krb5_context context,
      * If the realm of the presented tgt is neither the client nor the server
      * realm, it is a transit realm and must be added to transited set.
-    if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+    if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)
+	    && strcmp(client_realm, server_realm)) {
 	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
 	    ret = ERANGE;
 	    goto free_realms;

More information about the samba-technical mailing list