I have the following setup: Member in W4EDOM-L4.BASE user in S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE chain: W4EDOM-L4.BASE <=Forest-Trust=> W2012R2-L4.BASE <=Parent-Child-Trust=> S1-W2012-L4.W2012R2-L4.BASE <=Parent-Child-Trust=> S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE The ticket for administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE arrives on the member with transited = S1-W2012-L4.W2012R2-L4.BASE, which was added by the DC of W2012R2-L4.BASE. The function krb5_check_transited() is called via gss_accept_sec_context() and fails with KRB5KRB_AP_ERR_ILL_CR_TKT; Which causes krb5_decrypt_ticket() to fail, in the log file it seems that the provided keytab didn't have the correct key to decrypt.
The same problem happens with MIT Kerberos.
There were a discussion about this in August 2017: https://lists.samba.org/archive/samba-technical/2017-August/thread.html#122422
Created attachment 15491 [details] Work in progress for master
See also https://lists.samba.org/archive/samba-technical/2019-November/thread.html#134553 ... > I've used a modified Samba KDC (realm W4EDOM-L4.BASE) to generate > tickets with invalid names (crealm: FAKEPRINC.PUBLIC) > and tested the reaction of Windows KDC (realm: W2012R2-L4.BASE) when > they received such a Ticket over a forest trust, where realm > FAKRPRINC.PUBLIC is not configure as valid realm (upn-suffix) the for > the trust boundary. > > krb5-without-pac-fake-realm-03.pcap.gz has no PAC in the ticket for > TGS-REQ in frame 9. The crealm: FAKEPRINC.PUBLIC is rejected with > ERR_POLICY in frame 10. > > krb5-with-pac-fake-realm-03.pcap.gz has a valid PAC (with the correct > names and signatures) but an altered crealm. This is also rejected with > ERR_POLICY. > > So the policy check are not bound to the PAC, which means we can always > use GSS_KRB5_CRED_NO_TRANSIT_CHECK_X if we're member of an active > directory domain. ... I'll also upload the captures and keytab here too...
Created attachment 15627 [details] all.keytab (for krb5-without-pac-fake-realm-03.pcap.gz and krb5-with-pac-fake-realm-03.pcap.gz)
Created attachment 15628 [details] krb5-without-pac-fake-realm-03.pcap.gz
Created attachment 15629 [details] krb5-with-pac-fake-realm-03.pcap.gz
More discussion links: https://lists.samba.org/archive/samba-technical/2019-December/134622.html https://lists.samba.org/archive/samba-technical/2020-January/thread.html#134766 https://lists.samba.org/archive/samba-technical/2020-February/134808.html
(In reply to Stefan Metzmacher from comment #8) https://lists.samba.org/archive/samba-technical/2021-August/thread.html#136776