Univention Bugzilla – Bug 44963
Samba Kerberos: Bad request for constrained delegation
Last modified: 2023-03-25 06:54:01 CET
Created attachment 9007 [details] 0110_s4u2proxy_realm.patch For Bug 37687#c5 I've created the attached patch for the standalone Heimdal KDC but in the end we didn't apply that patch, because it was not necessary to fix the issue central to that bug. Now the report of Bug #40662 Comment 15 suggests that the patch may actually be relevant to fix the issue of broken GPO evaluation in the context of AD domain trust configurations. It applies cleanly to the samba/source4 builtin heimdal code, so we should give it a try.
Eduard tested it and it didn't fix the GPO issue in the AD trust scenario. In fact, the "Kerberos: constrained delegation" error message is also logged in the case where the GPO evalation works (and the code doesn't even come that far in the case where GPO evaluation aborts).