The KDC doesn’t consider principals of the form ‘krbtgt@realm’ — note the subtle distinction from ‘krbtgt/realm@realm’ — to be TGS principals. It will still issue TGTs to such principals, but these TGTs will have various anomalies: for example, they will not contain REQUESTER_SID PAC buffers; and if the client requests the PAC not to be issued, they will not even contain a PAC.
Is this an issue in our glue layer or Heimdal code?
(In reply to Andreas Schneider from comment #1) Both. I’ve opened MR 3282 to address this, but it needs a few things fixed up so that it can pass CI, and a new Heimdal import.
This bug was referenced in samba master: f266f5c670b4338e38ed42adc8aa81e5fa580ec1 3917a1995c319a70828b7b29866a6db1fb42e637 800f3203b1dd61531e7b861738558e751e45f8af 9a0c5ee4aefac943ee21e93af643b44e336c3563 865e4f0f8cb0f15da5d5cf8cc62d6bf7c57a8d1c 6d7a05bf780481a2792ff87ae635fb91e1f0c640 7b68f751be14cfbbab49ffa0084cc72e41d0a3f5 ddef0e5e1f63775cd22ee3b3febc6f765abbebf8 122117357722445526124ec5ecf9e152bc8e2c87 ea6d2ddb66ec28097c1fe47e2d0a9ab8c1f3e7c6 d57f3bdcd3374b9661571e5e815be93c666a47cf