[Samba] Performance Problem / failed to verify PAC server signature

Guenther Deschner gd at samba.org
Tue Nov 22 09:58:53 GMT 2005


On Mon, Nov 21, 2005 at 04:42:39PM +0100, Christoph Kaegi wrote:
> Hello List
> We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind)
> but authenticating against ADS.
> There are up to 800 concurrent users, mostly Windows XP SP3.
> When clients access MyDocuments, which is redirected to the Samba 
> share, we observe several 
>   "Session Setup AndX Request"s
> followed by 
>   "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s
> The delay between the request and the negative response is negligible 
> when less than 200 users are online. But at more than 500 concurrent
> users, the delay becomes something between 1 to 5 secons.
> This delays access to MyDocuments quite a bit, considering that 
> there are sometimes up to 10 such requests.
> So I'm interested in finding the problem and fixing it.
> The log says:
> -------------------------------------- 8< --------------------------------------
> [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
>   smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
> [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
>   check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
> [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
>   decode_pac_data: failed to verify PAC server signature
> [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
>   ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
> -------------------------------------- 8< --------------------------------------

First of all: are you sure you are running Samba 3.0.20? The PAC
verification code is not in any of the 3.0.20/a/b tarball releases (just
accidentially in the 3.0.20a subversion tags directory) but only in the
3.0.21 series of pre-releases/rcs.

Then you most probably are forced to use DES keys when authenticating with
Kerberos on your OS, right? PAC verification must then fail due to a bug
in Windows (which fails to put DES-based checksum into the PAC
signatures), so we can't verify the signature. What exact Kerberos library
are you using (version) ?

Nonetheless, failure of the PAC verification is non-critical, we just
return to old behaviour and ignore the PAC again, meaning that you can
ignore the error messages.

Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd at suse.de
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20051122/61e14ad1/attachment.bin

More information about the samba mailing list