E.g. Apple Kerberos SSO uses a Kerberos User2User TGS-REQ in order to get a PAC for a user, instead of getting a PAC using a TGS-REQ for the machine account. If the account is not a computer and does not have a servicePrincipalName attribute we don't allow it to act as a server, because it would allow offline attack against the password of the user. However Kerberos User2User is exactly designed for that, so that the session key of the additional ticket is used instead of the password of the user account. So our current logic is too strict.
This bug was referenced in samba master: c99fe118fdf11c641d74a51d33b52ac411db95f5 cbb8145d0c58b34b76a579afd81f0e19ec7106b6 bf79979f847de36db9da9646a396cdfe6b0e1c6f
Created attachment 18159 [details] Patches for v4-19-test
Comment on attachment 18159 [details] Patches for v4-19-test I note here on the bug that the line "(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6)" is significant. The third_party/heimdal tree in 4.19 is no longer a match for the indicated lorikeet-heimdal commit, it is maintained in-tree from here as we don't have multiple branches of lorikeet-heimdal.
Created attachment 18176 [details] Patches for v4-19-test The previous patches didn't apply. I suspect the patches were in the wrong order. In Master, the third patch of the previous patches comes is first. I have only changed the order. Please check.
Pushed to autobuild-v4-19-test.
This bug was referenced in samba v4-19-test: 166035b7c557b0d3ef61eaaa85a24bc0b805d8c3 94fa28979065556a8c0fa71095d87a15c9c6488c 3b649ba044c8d287bc179c3f17ee850eb5dae820
Closing out bug report. Thanks!
This bug was referenced in samba v4-19-stable (Release samba-4.19.3): 166035b7c557b0d3ef61eaaa85a24bc0b805d8c3 94fa28979065556a8c0fa71095d87a15c9c6488c 3b649ba044c8d287bc179c3f17ee850eb5dae820