diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index f09dbcd6bd7..95db6f7d4e8 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -70,6 +70,7 @@
 #
 # S4U tests
 #
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_constrained_delegation_old_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_unkeyed_client_checksum
diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index 3e45125d35e..6535a9bdcc4 100644
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -62,10 +62,12 @@ struct krb5_pac_data {
 #define PACTYPE_SIZE			8
 #define PAC_INFO_BUFFER_SIZE		16
 
+#define PAC_LOGON_INFO			1
 #define PAC_SERVER_CHECKSUM		6
 #define PAC_PRIVSVR_CHECKSUM		7
 #define PAC_LOGON_NAME			10
 #define PAC_CONSTRAINED_DELEGATION	11
+#define PAC_UPN_DNS_INFO		12
 #define PAC_TICKET_CHECKSUM		16
 
 #define CHECK(r,f,l)						\
@@ -1184,7 +1186,17 @@ _krb5_pac_sign(krb5_context context,
 		ret = krb5_enomem(context);
 		goto out;
 	    }
-	    /* XXX if not aligned, fill_zeros */
+
+	    if (p->pac->buffers[i].type == PAC_LOGON_INFO
+		|| p->pac->buffers[i].type == PAC_UPN_DNS_INFO)
+	    {
+		uint32_t rounded = (len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT
+		    * PAC_ALIGNMENT;
+		uint32_t remaining = rounded - len;
+		CHECK(ret, fill_zeros(context, spdata, remaining), out);
+
+		len = rounded;
+	    }
 	}
 
 	/* write header */