Kerberos features talk at sambaxp

Stefan Metzmacher metze at
Wed May 27 19:47:21 UTC 2020

Am 27.05.20 um 21:44 schrieb Alexander Bokovoy:
> On ke, 27 touko 2020, Stefan Metzmacher via samba-technical wrote:
>> Hi Isaac,
>>> Thanks for the talk was great, can't wait for the slides :)
>> Thanks! I'm sorry not to finish in time:-(
>> I may be able to complete the recording to the end for the archives.
>> StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
>> can be found under:
>> Also checkout the latest wireshark!
>>> I don't recall a problem with the enterprise principals in old
>>> S4U2Self padata, but I mostly test MIT client, I'll give it a try.
>> I'm also not 100% sure, but I thought you told me about it:-)
>> I think the difference is also the client principal in the referral
>> tickets on the way back.
> As part of our work on server referrals in FreeIPA, Isaac and I made a
> tool that might be useful for these investigations:
> It uses GSSAPI and Samba's libndr to obtain tickets and print content of
> a PAC. Obviously, it can be extended to print more ticket details if
> needed.
> It is able to acquire normal service tickets and S4U2Self ones, with
> enterprise principals or not. We use it in FreeIPA tests in-realm and
> for cross-realm operations.
> To compile it on something like Fedora you can use the following line:
> gcc -g -Wall -Werror -o print-pac -I/usr/include/samba-4.0 print-pac.c  -lgssapi_krb5 -lkrb5 -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba -lndr-samba4 -lndr-krb5pac -lndr  -ltalloc -lsamba-util -lpopt
> It is basically Samba libraries + Kerberos/GSSAPI + popt.
> If people are interested, I can submit it to Samba upstream as well.

Isn't that what 'net ads kerberos pac dump' already does?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list