Kerberos features talk at sambaxp

Alexander Bokovoy ab at
Wed May 27 19:44:25 UTC 2020

On ke, 27 touko 2020, Stefan Metzmacher via samba-technical wrote:
> Hi Isaac,
> > Thanks for the talk was great, can't wait for the slides :)
> Thanks! I'm sorry not to finish in time:-(
> I may be able to complete the recording to the end for the archives.
> StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
> can be found under:
> >
> Also checkout the latest wireshark!
> > I don't recall a problem with the enterprise principals in old
> > S4U2Self padata, but I mostly test MIT client, I'll give it a try.
> I'm also not 100% sure, but I thought you told me about it:-)
> I think the difference is also the client principal in the referral
> tickets on the way back.

As part of our work on server referrals in FreeIPA, Isaac and I made a
tool that might be useful for these investigations:

It uses GSSAPI and Samba's libndr to obtain tickets and print content of
a PAC. Obviously, it can be extended to print more ticket details if

It is able to acquire normal service tickets and S4U2Self ones, with
enterprise principals or not. We use it in FreeIPA tests in-realm and
for cross-realm operations.

To compile it on something like Fedora you can use the following line:

gcc -g -Wall -Werror -o print-pac -I/usr/include/samba-4.0 print-pac.c  -lgssapi_krb5 -lkrb5 -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba -lndr-samba4 -lndr-krb5pac -lndr  -ltalloc -lsamba-util -lpopt

It is basically Samba libraries + Kerberos/GSSAPI + popt.

If people are interested, I can submit it to Samba upstream as well.

/ Alexander Bokovoy

More information about the samba-technical mailing list