Skip Menu |

To: <>
From: Bar Hofesh <>
Subject: KDC has no support for padata type while using t_s4u from git
Date: Mon, 4 Jul 2016 11:06:41 +0300
Proxy: (has a keytab, user account, trusted to delegate all services, also domain admin)
user to proxy: noob@sa-dev.local (domain user)
target site:
AD: windows server 2008R2


klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 01/01/1970 02:00:00 host/ (arcfour-hmac)

Getting a ticket:

kinit -k -p -f host/


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/

Valid starting       Expires              Service principal
07/04/2016 10:56:00  07/04/2016 20:56:00  krbtgt/SA-DEV.LOCAL@SA-DEV.LOCAL
    renew until 07/05/2016 10:56:00

Trying to Proxy:

./t_s4u p:noob@SA-DEV.LOCAL h:sp2013@SA-DEV.LOCAL /etc/krb5.keytab
Protocol transition tests follow

gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type

Bar Hofesh

Information Security Architect
Support: (IL)1700700139, 927-9-8666110(ext 231)
Haatzmaut 40 St, first floor.
84150, Israel

Download image002.jpg
image/jpeg 1.5KiB

Image displayed inline above