Kerberos features talk at sambaxp

Isaac Boukris iboukris at
Wed May 27 21:16:08 UTC 2020

On Wed, May 27, 2020 at 9:20 PM Stefan Metzmacher <metze at> wrote:
> StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
> can be found under:
> >

Excellent, thanks!

As a feature, I think RBCD will also be quite useful in samba deployments.

> Also checkout the latest wireshark!
> > I don't recall a problem with the enterprise principals in old
> > S4U2Self padata, but I mostly test MIT client, I'll give it a try.
> I'm also not 100% sure, but I thought you told me about it:-)

Maybe it was something else, I'll make a python test and try it
against windows :)

> I think the difference is also the client principal in the referral
> tickets on the way back.

Hmm, the PAC in the referral will be signed with user at dom@REALM, but
that doesn't depend on the padata type that was used.

> Isn't that what 'net ads kerberos pac dump' already does?

We should have an enterprise flag for net-ads-kerberos-pac-dump, I
think I have a patch for it somewhere.

More information about the samba-technical mailing list