A question about S4U2Self with MIT KDC

Isaac Boukris iboukris at gmail.com
Thu Feb 7 10:44:04 UTC 2019

Hi Andreas & Alexander,

On Wed, Feb 6, 2019 at 1:49 PM Andreas Schneider <asn at samba.org> wrote:
> Yes we should verify it as Heimdal does. For that you need to extend the KDB
> plugin API from MIT Kerberos to pass down the required tgt-client principal
> name.

Thank you for confirming this, I'll submit a PR upstream, update the
patch accordingly, add comments and get back here.

> > principal and signatures, but so far I have not succeeded joining as a
> > DC to a Windows domain. I'm getting WERR_DS_NO_CROSSREF_FOR_NC error
> > against w2k8 and w2k16 - any help on this will be appreciated as well.
> Maybe metze can help here. He implemented support for it iirc.

Meanwhile, I found "samba-tool drs clone-dc-database
--include-secrets", which lets me steal the keys so I should be able
to play with TGT.

On Thu, Feb 7, 2019 at 11:50 AM Alexander Bokovoy <ab at samba.org> wrote:
> On ke, 06 helmi 2019, Isaac Boukris via samba-technical wrote:
> > $ echo -n pwd | kinit apache at ACME.COM --no-request-pac && kvno
> > -Uuser at abc@ACME.COM apache at ACME.COM
> According to MS-PAC 4.1.2 Authorization Validation and Filtering,
> My reading of this is that it implies PAC validation cross-realm.

The example I used is a bit misleading as it is not a cross-realm
request just an enterprise name from current realm (kvno -U assumes

I think the section you quoted is only relevant when a KDC copies the
PAC from the TGT to the ticket (or to the next referral TGT). My
question was about the case when the KDC creates a new PAC not based
on the old one, where the verification of the old one seem useless as
no authorization decision is done upon it (this happens with S4U2Self,
both in-realm and cross-realm scenarios).

The relevant doc is in MS-SFU 3.2.5.x - but I can't make sense of it :(

Thank you for the warm welcome and for all this amazing code,
especially the cross-realm code and the MIT integration from which
I've learned a lot, and which have enabled me to do some interesting

More information about the samba-technical mailing list