Hello, A bug seems to be observed in the formulation of the response of the kdc to S4U2Self requests. This problem has been observed when using an OpenSSH server on a Windows machine (W10, Windows Server 2016). It appears that machines receiving a ticket with non-HMAC encryption fail to authenticate domain users. The same thing happens in public key authentication. You will find more information on this link: https://github.com/PowerShell/Win32-OpenSSH/issues/1543 Someone working for the Windows Auth team noticed a problem with a Wireshark packet capture. Please find his comment by following this link. https://github.com/PowerShell/Win32-OpenSSH/issues/1543#issuecomment-818986844 In addition, I was able to find a document dealing with the S4U2Self written by Stefan Metzmacher. https://www.samba.org/~metze/presentations/2020/SambaXP/StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf It seems that the bug has been fixed in the 7.7.0 release of Heimdal.
The bug is fixed in version 4.13 of Samba by this commit: https://gitlab.com/samba-team/samba/-/commit/6095a4f0d58cad3dde6e76cadd7bcae0a240c9e6 Would it be possible to have a patch with this commit for version 4.9, 4.10, 4.11, and 4.12 please?
Is it also possible to add these two commits to the patch please? https://gitlab.com/samba-team/samba/-/commit/8fdff19c5461315556014d25d237a958edeed1a2 https://gitlab.com/samba-team/samba/-/commit/780fbc3004126175c66ec906910453aed866b163
I'm very sorry, but per https://wiki.samba.org/index.php/Samba_Release_Planning#General_information Samba 4.12 and earlier as now only supported for security fixes, not general fixes. You could approach whoever is supporting your older Samba versions to backport a patch, but otherwise we strongly recommend an upgrade to a supported version. As the fix is noted as being in Samba 4.13 we need to mark this as RESOLVED/FIXED here. Sorry,