[Samba] RE: Delegation of authentication (S4U) and SAMBA
Ephi Dror
Ephi.Dror at datadomain.com
Tue Feb 12 20:15:01 GMT 2008
Hello,
Does samba support the use of S4U?
What do we need to configure in SAMBA or krb5 to support getting a
ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1
We are getting the following error:
decode_pac_data: Name in PAC [username at something1.something2.realmname]
does not match principal name in ticket
The ticket could be different than the PAC name because the ticket was
obtained using S4U extension.
Any help will be really appreciated.
Cheers,
Ephi
Background:
http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_
gci1013484,00.html
Kerberos' ability to support delegation is a consequence of its unique
ticketing mechanism. When sending a ticket to a server, the Kerberos
client can add additional information to it so the server can reuse it
to request other tickets on the user's behalf to the Kerberos KDC
More information about the samba
mailing list