Hi, On Mon, Nov 21, 2005 at 04:42:39PM +0100, Christoph Kaegi wrote: > > Hello List > > We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) > but authenticating against ADS. > There are up to 800 concurrent users, mostly Windows XP SP3. > > When clients access MyDocuments, which is redirected to the Samba > share, we observe several > > "Session Setup AndX Request"s > > followed by > > "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s > > The delay between the request and the negative response is negligible > when less than 200 users are online. But at more than 500 concurrent > users, the delay becomes something between 1 to 5 secons. > > This delays access to MyDocuments quite a bit, considering that > there are sometimes up to 10 such requests. > > So I'm interested in finding the problem and fixing it. > The log says: > > -------------------------------------- 8< > -------------------------------------- > [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) > smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption > type > [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) > check_pac_checksum: PAC Verification failed: Bad encryption type > (-1765328196) > [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) > decode_pac_data: failed to verify PAC server signature > [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) > ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED > -------------------------------------- 8< > --------------------------------------
First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Nonetheless, failure of the PAC verification is non-critical, we just return to old behaviour and ignore the PAC again, meaning that you can ignore the error messages. Guenther -- Günther Deschner GPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED]
pgpeT4uZUrYGu.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
