search for: krb5kdc_err_policy

I attempted to set up unsolicited remote assistance via group policy, but connections to the client machines fail. A network trace show the 'expert' machine doing a TGS-REQ to the DC which responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the problem. I noticed in the request, the username of the 'novice' is given as the Server Name but is otherwise pretty unremarkable. Has anyone successfully gotten this working on a Samba4 AD domain?

...with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: 0x00100000: UF_NOT_DELEGATED: The UF_NOT_DELEGATED can be used to disable the ability to get forwar...

...mmand from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". >> >> Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: >> >> 0x00100000: UF_NOT_DELEGATED: >> The UF_NOT_DELEGATED can be used to disable...

...d from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". > > > > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: > > > > 0x00100000: UF_NOT_DELEGATED: > > The UF_NOT_DELEGATED can be used to d...

...t -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". > > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: > > 0x00100000: UF_NOT_DELEGATED: > The UF_NOT_DELEGATED can be used to disable the abilit...

...e Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". > > > > > > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: > > > > > > 0x00100000: UF_NOT_DELEGATED: > > > The UF_NOT_DELEGATED can...