[Samba] Performance Problem / failed to verify PAC server signature

Christoph Kaegi kgc at zhwin.ch
Tue Nov 22 10:15:40 GMT 2005

On 22.11-10:58, Guenther Deschner wrote:
> > -------------------------------------- 8< --------------------------------------
> > [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
> >   smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
> > [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
> >   check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
> > [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
> >   decode_pac_data: failed to verify PAC server signature
> > [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
> >   ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
> > -------------------------------------- 8< --------------------------------------
> First of all: are you sure you are running Samba 3.0.20? The PAC
> verification code is not in any of the 3.0.20/a/b tarball releases (just
> accidentially in the 3.0.20a subversion tags directory) but only in the
> 3.0.21 series of pre-releases/rcs.

The production Server runs 3.0.20, but the test Server, where I 
analyzed this and where the logs are coming from is 3.0.21rc1 indeed.

Sorry for the confusion.

But in both cases, the behaviour on the network is the same
(STATUS_LOGON_FAILUREs with a certain delay, depending on load)

> Then you most probably are forced to use DES keys when authenticating with
> Kerberos on your OS, right? PAC verification must then fail due to a bug
> in Windows (which fails to put DES-based checksum into the PAC
> signatures), so we can't verify the signature. What exact Kerberos library
> are you using (version) ?

Hm, how can I determine, if I use DES keys? I have the following in
krb5.conf (if that is what you mean):

-------------------------------------- 8< --------------------------------------
   default_tkt_enctypes = des-cbc-crc, des-cbc-md5
   default_tgs_enctypes = des-cbc-crc, des-cbc-md5
-------------------------------------- 8< --------------------------------------

I derived this from google knowledge, but I'll change this
gladly if you tell me it is wrong.

Kerberos is MIT Kerbers5 1.4

> Nonetheless, failure of the PAC verification is non-critical, we just
> return to old behaviour and ignore the PAC again, meaning that you can
> ignore the error messages.

Yes, everything is functioning, but we have delays of several minutes
for some clients, which is not really acceptable for them anymore.

These sesssion setup requests / failures are responsible for the most 
part of the time it takes to access MyDocuments. So I figured, if
we can solve this, the delays should be back in acceptable ranges.

What exactly is this PAC, btw.?

Thanks very much


Christoph Kaegi                                           kgc at zhwin.ch

More information about the samba mailing list