Skip Menu |

Date: Wed, 4 Dec 2013 17:17:27 +0100
From: Sumit Bose <>
To: krb5-bugs@MIT.EDU
Subject: PoC to fix cross realm S4U2Self

with the attached patch S4U2Self works for me even on cross-realm
environments, I tested this even with AD forest trust. I think this
issue is reported in ticket #7022 as well.

The idea is to convert in krb5_get_self_cred_from_kdc() the server part
of the s4u creds to an enterprise principal before sending it to a
different realm and convert it back to a plain principal when coming
back to the local realm. I'm not sure if this is the right way to fix
it. The patch needs some improvements (coding style, freeing memory,
...) and I'd happy to send a better version but I would like to get
some feedback if the general solution seems to be correct or if this
issue should be solved differently?

Thanks for you help.


Message body is not shown because sender requested not to inline it.

This may be the right approach, but I'm not sure. I will need to
research this and perhaps ask Microsoft to make a clarification to [MS-
Date: Tue, 3 Feb 2015 15:51:04 +0100
From: Sumit Bose <>
To: Greg Hudson via RT <>
Subject: Re: [ #7790] PoC to fix cross realm S4U2Self
On Mon, Dec 09, 2013 at 02:37:59PM -0500, Greg Hudson via RT wrote:
Show quoted text
> This may be the right approach, but I'm not sure. I will need to
> research this and perhaps ask Microsoft to make a clarification to [MS-
> S4U].

Are there any news on this topic? Did the response from Microsoft help?

Microsoft's answer confirmed that an enterprise principal is the most
general way for a server to identify itself when making an S4U2Self
request to another realm's KDC, and expressed an intent to update their
documentation (but they don't seem to have done so yet).

I thought I had previously heard that you had a cleaned-up version of
this patch. If so, you could make a pull request on or
send it here. If all you have so far is the PoC patch, we will find
time to clean it up and integrate it some time during the 1.14
development cycle.
Candidate patch here:

The patch includes an automated test for the client behavior, but it
would be useful for people to test this against Windows KDCs.

I did not preserve the check for krbtgt server principals which was
present in the proof-of-concept, because I don't know why a krbtgt
principal would ever make an S4U2Self request, or why it should be
treated differently if it did.
Subject: git commit

Make cross-realm S4U2Self work

When sending a S4U2Self query to a foreign realm, send an enterprise
server principal so that the foreign KDC can identify the home realm
of the server principal.

To make this work, adjust the memory management of
krb5_get_self_cred_from_kdc(). s4u_creds is now a shallow copy of
in_creds which owns no memory. A new variable eprinc owns the
enterprise form of the server principal, constructed using a new
helper function convert_to_enterprise(). Since we have to set the
server realm for KDC-REQ encoding to work, a new temporary variable
sprinc holds a shallow copy of *eprinc with the realm pointing to the
realm we are currently querying.

Based on a patch by Sumit Bose.
Author: Greg Hudson <>
Commit: 16128e80d30b4f5e03c2f4fd3d1024216eed3fa4
Branch: master
src/lib/krb5/krb/s4u_creds.c | 58 ++++++++++++++++++++++++++---------------
src/tests/gssapi/ | 17 ++++++++++++
2 files changed, 54 insertions(+), 21 deletions(-)