[Samba] Performance Problem / failed to verify PAC server signature

Doug VanLeuven roamdad at sonic.net
Tue Nov 22 17:35:42 GMT 2005 

Christoph Kaegi wrote:
> On 22.11-10:58, Guenther Deschner wrote:
> 
>>>-------------------------------------- 8< --------------------------------------
>>>[2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
>>>  smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
>>>[2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
>>>  check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
>>>[2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
>>>  decode_pac_data: failed to verify PAC server signature
>>>[2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
>>>  ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
>>>-------------------------------------- 8< --------------------------------------
>>
>>First of all: are you sure you are running Samba 3.0.20? The PAC
>>verification code is not in any of the 3.0.20/a/b tarball releases (just
>>accidentially in the 3.0.20a subversion tags directory) but only in the
>>3.0.21 series of pre-releases/rcs.
> 
> 
> The production Server runs 3.0.20, but the test Server, where I 
> analyzed this and where the logs are coming from is 3.0.21rc1 indeed.
> 
> Sorry for the confusion.
> 
> But in both cases, the behaviour on the network is the same
> (STATUS_LOGON_FAILUREs with a certain delay, depending on load)
> 
> 
>>Then you most probably are forced to use DES keys when authenticating with
>>Kerberos on your OS, right? PAC verification must then fail due to a bug
>>in Windows (which fails to put DES-based checksum into the PAC
>>signatures), so we can't verify the signature. What exact Kerberos library
>>are you using (version) ?
> 
> 
> Hm, how can I determine, if I use DES keys? I have the following in
> krb5.conf (if that is what you mean):
> 
> -------------------------------------- 8< --------------------------------------
>    default_tkt_enctypes = des-cbc-crc, des-cbc-md5
>    default_tgs_enctypes = des-cbc-crc, des-cbc-md5
> -------------------------------------- 8< --------------------------------------
> 
> I derived this from google knowledge, but I'll change this
> gladly if you tell me it is wrong.
> 
> Kerberos is MIT Kerbers5 1.4

With Kerberos 1.4 you should include rc4-hmac in the list of enctypes.
It is the native mode of windows.

Regards, Doug

More information about the samba mailing list