[Samba] samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

Rowland Penny rpenny at samba.org
Tue Aug 16 19:48:28 UTC 2022


On Tue, 2022-08-16 at 21:31 +0200, Kacper Wirski via samba wrote:
> Thank You,
> 
> So, I suppose, the issue is that a client can still obtain ticket
> from 
> one of the older DC's without PAC and when presenting to new DC,
> error 
> appears? If that's so, then simply upgrading all DC's to min. 4.13.14
> or 
> higher should "fix" it, right?

No, what I think is happening, is that the older DC's are accepting the
PACless tickets, but the new one isn't. The new DC isn't being asked
every time, but when it is, you are getting the message. I think you
need to fix whatever is 'asking' (probably your java application)

It says on the link I posted earlier:

PAC-free tickets are still supported for target
services (eg NFS), via an flag within the PAC preventing it being
put into the final ticket.

I suppose the question is: How do you set the flag in the PAC ?
To which I would have to answer: I do not know.
Hopefully someone does.

Rowland





More information about the samba mailing list