Re: [Samba] Performance Problem / failed to verify PAC server signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ying, ads_secrets_verify_ticket: enc type [3] decrypted message ! .. smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type check_pac_checksum: PAC Verification failed: Bad encryption type ... I'm wondering whether it's an abnormal behavior, or there is a specific fix to improve performance. Could somebody look at this and help me out? It looks like you have the DES only bit set of the machine trust account. I have this vague memory of the PAC checksum always being signed using RC4-HMAC. Do you Krb5 libs support that enc type? It doesn't appear that they do based on your logs. Or maybe the support was just not detected when Samba was compiled. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1aSvIR7qMdg1EfYRAqzCAJ99vPBHlp4GyOaXvJvwnPFgcfl6bgCgrNOC fXyRZWLFJkSZzurWhcKqrtA= =rFSK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Performance Problem / failed to verify PAC server signature
Hello, We are experiencing ADS lower performance on Samba-3.0.22 for HPUX. I did Google search, and find out one message posted at http://lists.samba.org/archive/samba/2005-November/114231.html at the earlier time. From my observation, it seems there was a spin on reply_spnego_negotiate()/ reply_spnego_kerberos() calls that invokes register_vuid() to register uvid with different vuid# for a logon user or a client. Finally, kill the intermediate vuid by invalidate_vuid(vuid). This caused too many SMB calls on the wire(more than hundreds of SMB calls, including SMBsesssetup,SMBtcon,SMBtdis,SMBclose,SMBulogoff), but do nothing. [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(243) ads_secrets_verify_ticket: enc type [3] decrypted message ! .. [2007/08/13 17:52:01, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(697) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2007/08/13 17:52:01, 2] libads/authdata.c:check_pac_checksum(659) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2007/08/13 17:52:01, 0] libads/authdata.c:decode_pac_data(870) decode_pac_data: failed to verify PAC server signature [2007/08/13 17:52:01, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED .. [2007/08/14 12:01:05, 3] smbd/error.c:error_packet(142) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2007/08/14 12:01:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(558) reply_spnego_negotiate, invalidate_vuid I'm wondering whether it's an abnormal behavior, or there is a specific fix to improve performance. Could somebody look at this and help me out? Thanks. -Ying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Christoph Kaegi wrote: On 23.11-02:22, Doug VanLeuven wrote: Well, no. Maybe. Yes. Been a while since I confronted moving between des arc4. in source/libads/ldap.c #ifndef ENCTYPE_ARCFOUR_HMAC acct_control |= UF_USE_DES_KEY_ONLY; #endif I have in source/include/config.h: /* Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available */ /* #undef HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */ Heimdal kerberos defines rc4-hmac this way. From MIT site: Supported Encryption Types arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 These are all synonyms. And my MIT 1.4 says in krb5.h: [...] #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/ [...] That last define of CKSUMTYPE_HMAC_MD5_ARCFOUR seems doesn't look promising. About 20 lines before that you should see #define ENCTYPE_ARCFOUR_HMAC0x0017 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 So your compiled samba will have rc4-hmac support. Does that mean, that my Kerberos library doesn't support the encryption type that I need? (I checked also krb5-1.4.3, which has the same definition) So my experience is if it is defined in the include file at compile time, all accounts are created arc4 capable. I don't see any flags in the smbd -b build options that confirm this either way What is an arc4 capable Unix account? Not arc4 capable Unix, arc4-hmac capable Windows computer account. This is the default state of windows accounts and a flag is neccessary to force des-only usage. In Active Directory In domain wherever computer accounts get setup cn=computer name userAccountControl: 0x11000 The two set bits mean: UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD This account is arc4 capable. An account that is des only has this value: userAccountControl: 0x211000 UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_USE_DES_KEY_ONLY userAccountControl exists in user accounts too. ktpass.exe: +des (des only - default for command) -des (not des only) Also, I use this samba option: use kerberos keytab = yes Which means samba creates /etc/krb5.keytab entries for you when you join the domain. If you use that option, your keytab file will probably only have des entries in it from when you joined and only des-cbc-crc and des-cbc-md5 were allowed. I rejoined, deleted the AD computer account, recreated it several times. All funny things are happening, including: -- 8 -- [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(36) === [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 20569 (3.0.21rc1) Please read the Trouble-Shooting section of the Samba3-HOWTO [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(40) === [2005/11/23 14:32:47, 0] lib/util.c:smb_panic2(1554) PANIC: internal error -- 8 -- after a successful join... Bummer, shouldn't happen. But it could be the kerberos. I was curious, so I dragged out an old des only machine used in testing last year. RH9 with a custom 1.3.5 MIT kerberos. Ethereal traces on port 88 show machine using only des Compiled and installed samba 3.0.21pre3 SVN 11739 Ran it in des-only mode without issue, but had no easy way to check redirected folders. Then I converted it to your system of using a ktpass.exe generated keytab using rc4-hmac. Stopped samba edit smb.conf and remove use kerberos keytab = yes Deleted the existing computer account in AD Deleted the existing mapped user account in AD Deleted /etc/krb5.keytab Edit krb5.conf and add rc4-hmac as -first- enctype in list for default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes Deleted samba's private.tdb Deleted samba's winbindd_cache.tdb (just in case) Created a new windows user account to be used for mapping in ktpass.exe Ran ktpass.exe on domain controller with -DesOnly Read the new keytab and write /etc/krb5.conf with it Run net ads join Ethereal trace on port 88 show rc4-hmac negotiated tickets Using a ktpass.exe generated keytab, the AD computer account and the AD mapped user account attribute userAccountControl must agree on the flag UF_USE_DES_KEY_ONLY. They either both indicate it or they both don't indicate it, but they can't be mixed. We'll be enjoying Thanksgiving holiday here. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Doug VanLeuven wrote: Then I converted it to your system of using a ktpass.exe generated keytab using rc4-hmac. Stopped samba edit smb.conf and remove use kerberos keytab = yes Deleted the existing computer account in AD Deleted the existing mapped user account in AD Deleted /etc/krb5.keytab Edit krb5.conf and add rc4-hmac as -first- enctype in list for default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes Deleted samba's private.tdb Deleted samba's winbindd_cache.tdb (just in case) Created a new windows user account to be used for mapping in ktpass.exe Ran ktpass.exe on domain controller with -DesOnly Read the new keytab and write /etc/krb5.conf with it Typo: should be /etc/krb5.keytab Run net ads join Ethereal trace on port 88 show rc4-hmac negotiated tickets Using a ktpass.exe generated keytab, the AD computer account and the AD mapped user account attribute userAccountControl must agree on the flag UF_USE_DES_KEY_ONLY. They either both indicate it or they both don't indicate it, but they can't be mixed. We'll be enjoying Thanksgiving holiday here. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
On 22.11-09:35, Doug VanLeuven wrote: Hm, how can I determine, if I use DES keys? I have the following in krb5.conf (if that is what you mean): -- 8 -- default_tkt_enctypes = des-cbc-crc, des-cbc-md5 default_tgs_enctypes = des-cbc-crc, des-cbc-md5 -- 8 -- I derived this from google knowledge, but I'll change this gladly if you tell me it is wrong. Kerberos is MIT Kerbers5 1.4 With Kerberos 1.4 you should include rc4-hmac in the list of enctypes. It is the native mode of windows. Thanks! I added this to my /etc/krb5.conf. It didn't help my problem though. Any more hints? Thanks Chris -- -- Christoph Kaegi [EMAIL PROTECTED] -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Christoph Kaegi wrote: On 22.11-09:35, Doug VanLeuven wrote: Hm, how can I determine, if I use DES keys? I have the following in krb5.conf (if that is what you mean): -- 8 -- default_tkt_enctypes = des-cbc-crc, des-cbc-md5 default_tgs_enctypes = des-cbc-crc, des-cbc-md5 -- 8 -- I derived this from google knowledge, but I'll change this gladly if you tell me it is wrong. Kerberos is MIT Kerbers5 1.4 With Kerberos 1.4 you should include rc4-hmac in the list of enctypes. It is the native mode of windows. Thanks! I added this to my /etc/krb5.conf. It didn't help my problem though. Any more hints? Well, no. Maybe. Yes. Been a while since I confronted moving between des arc4. in source/libads/ldap.c #ifndef ENCTYPE_ARCFOUR_HMAC acct_control |= UF_USE_DES_KEY_ONLY; #endif So my experience is if it is defined in the include file at compile time, all accounts are created arc4 capable. I don't see any flags in the smbd -b build options that confirm this either way You could check (if your computer joined a long time ago) using ldp.exe which translates the flags into english. cn=your computer,cn=Computers,cn=your domain userAccountControl 0x0020ADS_UF_USE_DES_KEY_ONLY Subtract that out to clear the bit, if set, which it might be, depending on how long ago you joined. I use adsiedit.msc which presents the flag in decimal. Also, I use this samba option: use kerberos keytab = yes Which means samba creates /etc/krb5.keytab entries for you when you join the domain. If you use that option, your keytab file will probably only have des entries in it from when you joined and only des-cbc-crc and des-cbc-md5 were allowed. You can generate a new set of keys with this command net ads changetrustpw Or you can delete the computer account on the domain controller, delete the existing keytab entries (or the keytab file if no other keys are present), and rejoin the domain. I got leary of changetrustpw because sometimes it would hang in the kerberos libraries in version krb5 1.3.4 if one ran the command several times in a short period of time. Once was always OK. FWIW I believe it hangs trying to delete older key versions that are still current and in use. If you don't use that option and you manually created the keytab entry with ktpass.exe, then you'd know if you used /DesOnly and if you did, you'd need to cut a new keytab that wasn't des only. Any way you edit or update, there is caching of tickets going on. I remember after one long night of updating kerberos and rejoining the domain, nothing worked. The machine beat me. Next day I thought lets try it one more time. Worked like a charm without modification. Kerberos hammered home the lesson that patience is a virtue. Never did come up with a deterministic method to compute the time to outlive the cache. Don't know if it's cached in samba secrets or the windows domain controller. Luck, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
On 23.11-02:22, Doug VanLeuven wrote: Well, no. Maybe. Yes. Been a while since I confronted moving between des arc4. in source/libads/ldap.c #ifndef ENCTYPE_ARCFOUR_HMAC acct_control |= UF_USE_DES_KEY_ONLY; #endif I have in source/include/config.h: /* Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available */ /* #undef HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */ And my MIT 1.4 says in krb5.h: [...] #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/ [...] That last define of CKSUMTYPE_HMAC_MD5_ARCFOUR seems doesn't look promising. Does that mean, that my Kerberos library doesn't support the encryption type that I need? (I checked also krb5-1.4.3, which has the same definition) So my experience is if it is defined in the include file at compile time, all accounts are created arc4 capable. I don't see any flags in the smbd -b build options that confirm this either way What is an arc4 capable Unix account? Also, I use this samba option: use kerberos keytab = yes Which means samba creates /etc/krb5.keytab entries for you when you join the domain. If you use that option, your keytab file will probably only have des entries in it from when you joined and only des-cbc-crc and des-cbc-md5 were allowed. I rejoined, deleted the AD computer account, recreated it several times. All funny things are happening, including: -- 8 -- [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(36) === [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 20569 (3.0.21rc1) Please read the Trouble-Shooting section of the Samba3-HOWTO [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(40) === [2005/11/23 14:32:47, 0] lib/util.c:smb_panic2(1554) PANIC: internal error -- 8 -- after a successful join... Chris -- -- Christoph Kaegi [EMAIL PROTECTED] -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
On 22.11-10:58, Guenther Deschner wrote: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Today, I recreated the AD computer account. After issuing the ktpass command on the domain controller, it said indeed: Account has been set for DES-only encryption Did I understand this correctly, that this is the desired behaviour? Or should I specify -DESOnly? -- -- Christoph Kaegi [EMAIL PROTECTED] -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Hi, On Mon, Nov 21, 2005 at 04:42:39PM +0100, Christoph Kaegi wrote: Hello List We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) but authenticating against ADS. There are up to 800 concurrent users, mostly Windows XP SP3. When clients access MyDocuments, which is redirected to the Samba share, we observe several Session Setup AndX Requests followed by Session Setup AndX Response, Error: STATUS_LOGON_FAILUREs The delay between the request and the negative response is negligible when less than 200 users are online. But at more than 500 concurrent users, the delay becomes something between 1 to 5 secons. This delays access to MyDocuments quite a bit, considering that there are sometimes up to 10 such requests. So I'm interested in finding the problem and fixing it. The log says: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Nonetheless, failure of the PAC verification is non-critical, we just return to old behaviour and ignore the PAC again, meaning that you can ignore the error messages. Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpeT4uZUrYGu.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
On 22.11-10:58, Guenther Deschner wrote: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. The production Server runs 3.0.20, but the test Server, where I analyzed this and where the logs are coming from is 3.0.21rc1 indeed. Sorry for the confusion. But in both cases, the behaviour on the network is the same (STATUS_LOGON_FAILUREs with a certain delay, depending on load) Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Hm, how can I determine, if I use DES keys? I have the following in krb5.conf (if that is what you mean): -- 8 -- default_tkt_enctypes = des-cbc-crc, des-cbc-md5 default_tgs_enctypes = des-cbc-crc, des-cbc-md5 -- 8 -- I derived this from google knowledge, but I'll change this gladly if you tell me it is wrong. Kerberos is MIT Kerbers5 1.4 Nonetheless, failure of the PAC verification is non-critical, we just return to old behaviour and ignore the PAC again, meaning that you can ignore the error messages. Yes, everything is functioning, but we have delays of several minutes for some clients, which is not really acceptable for them anymore. These sesssion setup requests / failures are responsible for the most part of the time it takes to access MyDocuments. So I figured, if we can solve this, the delays should be back in acceptable ranges. What exactly is this PAC, btw.? Thanks very much Chris -- -- Christoph Kaegi [EMAIL PROTECTED] -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance Problem / failed to verify PAC server signature
Christoph Kaegi wrote: On 22.11-10:58, Guenther Deschner wrote: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. The production Server runs 3.0.20, but the test Server, where I analyzed this and where the logs are coming from is 3.0.21rc1 indeed. Sorry for the confusion. But in both cases, the behaviour on the network is the same (STATUS_LOGON_FAILUREs with a certain delay, depending on load) Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Hm, how can I determine, if I use DES keys? I have the following in krb5.conf (if that is what you mean): -- 8 -- default_tkt_enctypes = des-cbc-crc, des-cbc-md5 default_tgs_enctypes = des-cbc-crc, des-cbc-md5 -- 8 -- I derived this from google knowledge, but I'll change this gladly if you tell me it is wrong. Kerberos is MIT Kerbers5 1.4 With Kerberos 1.4 you should include rc4-hmac in the list of enctypes. It is the native mode of windows. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Performance Problem / failed to verify PAC server signature
Hello List We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) but authenticating against ADS. There are up to 800 concurrent users, mostly Windows XP SP3. When clients access MyDocuments, which is redirected to the Samba share, we observe several Session Setup AndX Requests followed by Session Setup AndX Response, Error: STATUS_LOGON_FAILUREs The delay between the request and the negative response is negligible when less than 200 users are online. But at more than 500 concurrent users, the delay becomes something between 1 to 5 secons. This delays access to MyDocuments quite a bit, considering that there are sometimes up to 10 such requests. So I'm interested in finding the problem and fixing it. The log says: -- 8 -- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -- 8 -- Other relevant Server settings are: -- 8 -- security= ADS realm = FOO.BAR use kerberos keytab = yes workgroup = FOOBAR log file = /var/log/samba/smbd.log log level = 10 max log size = 0 socket options = TCP_NODELAY local master = no domain master = no preferred master = no domain logons= no wins support = no -- 8 -- Any hints? Thanks alot Christoph -- -- Christoph Kaegi [EMAIL PROTECTED] -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
