Re: [Samba] Performance Problem / failed to verify PAC server signature

Tue, 22 Nov 2005 09:37:52 -0800 

Christoph Kaegi wrote:

On 22.11-10:58, Guenther Deschner wrote:


-------------------------------------- 8< --------------------------------------
[2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
 smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
[2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
 check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
[2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
 decode_pac_data: failed to verify PAC server signature
[2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
 ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
-------------------------------------- 8< --------------------------------------


First of all: are you sure you are running Samba 3.0.20? The PAC
verification code is not in any of the 3.0.20/a/b tarball releases (just
accidentially in the 3.0.20a subversion tags directory) but only in the
3.0.21 series of pre-releases/rcs.
The production Server runs 3.0.20, but the test Server, where I analyzed this and where the logs are coming from is 3.0.21rc1 indeed. 

Sorry for the confusion.

But in both cases, the behaviour on the network is the same
(STATUS_LOGON_FAILUREs with a certain delay, depending on load)



Then you most probably are forced to use DES keys when authenticating with
Kerberos on your OS, right? PAC verification must then fail due to a bug
in Windows (which fails to put DES-based checksum into the PAC
signatures), so we can't verify the signature. What exact Kerberos library
are you using (version) ?



Hm, how can I determine, if I use DES keys? I have the following in
krb5.conf (if that is what you mean):

-------------------------------------- 8< --------------------------------------
   default_tkt_enctypes = des-cbc-crc, des-cbc-md5
   default_tgs_enctypes = des-cbc-crc, des-cbc-md5
-------------------------------------- 8< --------------------------------------

I derived this from google knowledge, but I'll change this
gladly if you tell me it is wrong.

Kerberos is MIT Kerbers5 1.4


With Kerberos 1.4 you should include rc4-hmac in the list of enctypes.
It is the native mode of windows.

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to