[Samba] Performance Problem / failed to verify PAC
server signature
Doug VanLeuven
roamdad at sonic.net
Tue Nov 22 17:35:42 GMT 2005
Christoph Kaegi wrote:
> On 22.11-10:58, Guenther Deschner wrote:
>
>>>-------------------------------------- 8< --------------------------------------
>>>[2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
>>> smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
>>>[2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
>>> check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
>>>[2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
>>> decode_pac_data: failed to verify PAC server signature
>>>[2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
>>> ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
>>>-------------------------------------- 8< --------------------------------------
>>
>>First of all: are you sure you are running Samba 3.0.20? The PAC
>>verification code is not in any of the 3.0.20/a/b tarball releases (just
>>accidentially in the 3.0.20a subversion tags directory) but only in the
>>3.0.21 series of pre-releases/rcs.
>
>
> The production Server runs 3.0.20, but the test Server, where I
> analyzed this and where the logs are coming from is 3.0.21rc1 indeed.
>
> Sorry for the confusion.
>
> But in both cases, the behaviour on the network is the same
> (STATUS_LOGON_FAILUREs with a certain delay, depending on load)
>
>
>>Then you most probably are forced to use DES keys when authenticating with
>>Kerberos on your OS, right? PAC verification must then fail due to a bug
>>in Windows (which fails to put DES-based checksum into the PAC
>>signatures), so we can't verify the signature. What exact Kerberos library
>>are you using (version) ?
>
>
> Hm, how can I determine, if I use DES keys? I have the following in
> krb5.conf (if that is what you mean):
>
> -------------------------------------- 8< --------------------------------------
> default_tkt_enctypes = des-cbc-crc, des-cbc-md5
> default_tgs_enctypes = des-cbc-crc, des-cbc-md5
> -------------------------------------- 8< --------------------------------------
>
> I derived this from google knowledge, but I'll change this
> gladly if you tell me it is wrong.
>
> Kerberos is MIT Kerbers5 1.4
With Kerberos 1.4 you should include rc4-hmac in the list of enctypes.
It is the native mode of windows.
Regards, Doug
More information about the samba
mailing list