A question about S4U2Self with MIT KDC

Andreas Schneider asn at samba.org
Wed Feb 6 11:49:16 UTC 2019

On Wednesday, February 6, 2019 10:21:59 AM CET Isaac Boukris via samba-
technical wrote:
> Hi team,

Hi Isaac,
> Given the cross-realm S4U2Self patches have landed upstream mit-krb5
> (see PR #853), I'd like to work on Samba side as well. However I've
> been struggling with the following question (which applies to in-realm
> as well); when processing a S4U2Self TGS-REQ is it required to verify
> the of the PAC in the TGT or can it be ignored?
> Technically, we should be able to verify it (we have both krbtgt and
> server key, or at least the server key in case of cross-realm), and
> Heimdal indeed does that. But the sign_authdata() plugin method in
> MIT, currently does not provide us with the tgt-client principal name
> to match against the PAC (but only with the impersonate principal to
> construct a new PAC).

thank you very much for working on this and welcome to the wonderful world of 
MIT Kerberos development!

Yes we should verify it as Heimdal does. For that you need to extend the KDB 
plugin API from MIT Kerberos to pass down the required tgt-client principal 

Here is an example:

> For in-realm requests we could workaround this by matching against
> 'server->princ' since it is the same principal (assuming the PAC was
> signed using the canonical name) but in cross realm this isn't the
> case, so we may need a new API to be able to verify the PAC.

See above :-)

> I've raised this question back then on krbdev (referenced in
> aforementioned PR) and we couldn't think of a sensible reason why we'd
> need to verify the PAC. However it seems that Windows KDC requires
> that the TGT does include a PAC, since the following command yields
> err_c_principal_unknown:
> $ echo -n pwd | kinit apache at ACME.COM --no-request-pac && kvno
> -Uuser at abc@ACME.COM apache at ACME.COM
> This does not prove that it actually verifies the PAC but does imply
> that. I tried to prove it further by  trying to join a Samba DC to a
> Windows domain in order to forge a TGT with a PAC using a wrong
> principal and signatures, but so far I have not succeeded joining as a
> DC to a Windows domain. I'm getting WERR_DS_NO_CROSSREF_FOR_NC error
> against w2k8 and w2k16 - any help on this will be appreciated as well.

Maybe metze can help here. He implemented support for it iirc.

> See attached initial patch for in-realm S4U2Self with MIT KDC (it does
> not currently verify the TGT PAC, but simply discards it).

Looking at the patch. We need more code comments. I'm sorry that we did not do 
that since the beginning but it is never to late to start with them :-)

Thanks again,


Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list