The KDC doesn’t consider principals of the form ‘krbtgt@realm’ — note the subtle distinction from ‘krbtgt/realm@realm’ — to be TGS principals. It will still issue TGTs to such principals, but these TGTs will have various anomalies: for example, they will not contain REQUESTER_SID PAC buffers; and if the client requests the PAC not to be issued, they will not even contain a PAC.
Is this an issue in our glue layer or Heimdal code?
(In reply to Andreas Schneider from comment #1)
Both. I’ve opened MR 3282 to address this, but it needs a few things fixed up so that it can pass CI, and a new Heimdal import.
This bug was referenced in samba master: