A bug seems to be observed in the formulation of the response of the kdc to S4U2Self requests.
This problem has been observed when using an OpenSSH server on a Windows machine (W10, Windows Server 2016). It appears that machines receiving a ticket with non-HMAC encryption fail to authenticate domain users. The same thing happens in public key authentication.
You will find more information on this link:
Someone working for the Windows Auth team noticed a problem with a Wireshark packet capture.
Please find his comment by following this link.
In addition, I was able to find a document dealing with the S4U2Self written by Stefan Metzmacher.
It seems that the bug has been fixed in the 7.7.0 release of Heimdal.
The bug is fixed in version 4.13 of Samba by this commit:
Would it be possible to have a patch with this commit for version 4.9, 4.10, 4.11, and 4.12 please?
Is it also possible to add these two commits to the patch please?
I'm very sorry, but per https://wiki.samba.org/index.php/Samba_Release_Planning#General_information Samba 4.12 and earlier as now only supported for security fixes, not general fixes.
You could approach whoever is supporting your older Samba versions to backport a patch, but otherwise we strongly recommend an upgrade to a supported version.
As the fix is noted as being in Samba 4.13 we need to mark this as RESOLVED/FIXED here.