Bug 44963 – Samba Kerberos: Bad request for constrained delegation

Bug 44963 - Samba Kerberos: Bad request for constrained delegation


Summary:	Samba Kerberos: Bad request for constrained delegation

Status:	CLOSED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	---
Assigned To:	Eduard Mai
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:	40662
	Show dependency tree / graph

Reported:	2017-07-10 18:46 CEST by Arvid Requate
Modified:	2023-03-25 06:54 CET (History)
CC List:	11 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
0110_s4u2proxy_realm.patch (1.25 KB, patch) 2017-07-10 18:46 CEST, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-07-10 18:46:41 CEST

Created attachment 9007 [details]
0110_s4u2proxy_realm.patch

For Bug 37687#c5 I've created the attached patch for the standalone Heimdal KDC but in the end we didn't apply that patch, because it was not necessary to fix the issue central to that bug.

Now the report of Bug #40662 Comment 15 suggests that the patch may actually be relevant to fix the issue of broken GPO evaluation in the context of AD domain trust configurations.

It applies cleanly to the samba/source4 builtin heimdal code, so we should give it a try.

Comment 1 Arvid Requate

2017-12-13 21:42:53 CET

Eduard tested it and it didn't fix the GPO issue in the AD trust scenario.
In fact, the "Kerberos: constrained delegation" error message is also logged in the case where the GPO evalation works (and the code doesn't even come that far in the case where GPO evaluation aborts).