[Samba] Performance Problem / failed to verify PAC server signature

Christoph Kaegi kgc at zhwin.ch
Mon Nov 21 15:42:39 GMT 2005 

Hello List

We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind)
but authenticating against ADS.
There are up to 800 concurrent users, mostly Windows XP SP3.

When clients access MyDocuments, which is redirected to the Samba 
share, we observe several 

  "Session Setup AndX Request"s

followed by 

  "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s

The delay between the request and the negative response is negligible 
when less than 200 users are online. But at more than 500 concurrent
users, the delay becomes something between 1 to 5 secons.

This delays access to MyDocuments quite a bit, considering that 
there are sometimes up to 10 such requests.

So I'm interested in finding the problem and fixing it.
The log says:

-------------------------------------- 8< --------------------------------------
[2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
  smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
[2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
  check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
[2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
  decode_pac_data: failed to verify PAC server signature
[2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
  ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
-------------------------------------- 8< --------------------------------------

Other relevant Server settings are:

-------------------------------------- 8< --------------------------------------
security            = ADS
realm               = FOO.BAR
use kerberos keytab = yes
workgroup           = FOOBAR

log file       = /var/log/samba/smbd.log
log level      = 10
max log size   = 0
socket options = TCP_NODELAY
local master   = no
domain master  = no
preferred master = no
domain logons    = no
wins support     = no
-------------------------------------- 8< --------------------------------------

Any hints?

Thanks alot

Christoph

-- 
----------------------------------------------------------------------
Christoph Kaegi                                           kgc at zhwin.ch
----------------------------------------------------------------------

More information about the samba mailing list