Modern Windows versions send encrypted authorization-data a long with TGS requests. If this is combined with S4U2Proxy requests a Samba (heimdal based) KDC is unable to decrypt the authorization data from the client.
Created attachment 13863 [details] Work in progress patches
Comment on attachment 13863 [details] Work in progress patches The current pathes are on https://gitlab.com/samba-team/samba/-/merge_requests/2458
This bug was referenced in samba master: 489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd
Will be fixed in 4.19