KDC Authorization logic of S4U2Self request
Isaac Boukris
iboukris at gmail.com
Wed May 13 12:04:18 UTC 2020
Hi,
This is a follow-up to:
https://lists.samba.org/archive/samba-technical/2019-February/132340.html
In short the question was whether the KDC should verify the PAC of the
TGT in the initial S4U2Self request like Windows, and why.
I think the reason Windows requires the PAC in this S4U2Self request,
is because it uses the PAC in the TGT in order to construct an
authorization-token, which it then uses to query the impersonated user
in DB.
See also this article (i can reproduce it by adding deny perms for the
impersonator on the target client db entry):
https://support.microsoft.com/sv-se/help/2009157/kdc-err-c-principal-unknown-returned-in-s4u2self-request
If we'd do something like that, then the PAC would implicitly be
required and verified. But I think we'd need changes in the KDC for
that (both heimdal/mit).
Thoughts?
More information about the samba-technical
mailing list