KDC Authorization logic of S4U2Self request
iboukris at gmail.com
Wed May 13 12:04:18 UTC 2020
This is a follow-up to:
In short the question was whether the KDC should verify the PAC of the
TGT in the initial S4U2Self request like Windows, and why.
I think the reason Windows requires the PAC in this S4U2Self request,
is because it uses the PAC in the TGT in order to construct an
authorization-token, which it then uses to query the impersonated user
See also this article (i can reproduce it by adding deny perms for the
impersonator on the target client db entry):
If we'd do something like that, then the PAC would implicitly be
required and verified. But I think we'd need changes in the KDC for
that (both heimdal/mit).
More information about the samba-technical