[Samba] RE: Delegation of authentication (S4U) and SAMBA

Ephi Dror Ephi.Dror at datadomain.com
Tue Feb 12 20:15:01 GMT 2008



Does samba support the use of S4U?


What do we need to configure in SAMBA or krb5 to support getting a
ticket obtained by S4U.  We are using 3.0.25 and krb5-1.4.1


We are getting the following error:


decode_pac_data: Name in PAC [username at something1.something2.realmname]
does not match principal name in ticket


The ticket could be different than the PAC name because the ticket was
obtained using S4U extension.


Any help will be really appreciated.









Kerberos' ability to support delegation is a consequence of its unique
ticketing mechanism. When sending a ticket to a server, the Kerberos
client can add additional information to it so the server can reuse it
to request other tickets on the user's behalf to the Kerberos KDC


More information about the samba mailing list