Modern Windows versions send encrypted authorization-data a long with TGS requests. If this is combined with S4U2Proxy requests a Samba (heimdal based) KDC is unable to decrypt the authorization data from the client.
Created attachment 13863 [details] Work in progress patches
Comment on attachment 13863 [details] Work in progress patches The current pathes are on https://gitlab.com/samba-team/samba/-/merge_requests/2458