[Samba] Performance Problem / failed to verify PAC server signature

Doug VanLeuven roamdad at sonic.net
Wed Nov 23 10:22:33 GMT 2005 

Christoph Kaegi wrote:
> On 22.11-09:35, Doug VanLeuven wrote:
> 
>>>Hm, how can I determine, if I use DES keys? I have the following in
>>>krb5.conf (if that is what you mean):
>>>
>>>-------------------------------------- 8< 
>>>--------------------------------------
>>>  default_tkt_enctypes = des-cbc-crc, des-cbc-md5
>>>  default_tgs_enctypes = des-cbc-crc, des-cbc-md5
>>>-------------------------------------- 8< 
>>>--------------------------------------
>>>
>>>I derived this from google knowledge, but I'll change this
>>>gladly if you tell me it is wrong.
>>>
>>>Kerberos is MIT Kerbers5 1.4
>>
>>With Kerberos 1.4 you should include rc4-hmac in the list of enctypes.
>>It is the native mode of windows.
> 
> 
> Thanks! I added this to my /etc/krb5.conf.
> 
> It didn't help my problem though.
> 
> Any more hints?

Well, no.  Maybe.  Yes.  Been a while since I confronted moving
between des & arc4.

in source/libads/ldap.c
#ifndef ENCTYPE_ARCFOUR_HMAC
         acct_control |= UF_USE_DES_KEY_ONLY;
#endif

So my experience is if it is defined in the include file at compile
time, all accounts are created arc4 capable.  I don't see any
flags in the "smbd -b" build options that confirm this either way

You could check (if your computer joined a long time ago) using ldp.exe
which translates the flags into english.
cn=<your computer>,cn=Computers,cn=<your domain>
   userAccountControl
       0x00200000    ADS_UF_USE_DES_KEY_ONLY
Subtract that out to clear the bit, if set, which it might be, depending
on how long ago you joined.  I use adsiedit.msc which presents the
flag in decimal.

Also, I use this samba option:
use kerberos keytab = yes
Which means samba creates /etc/krb5.keytab entries for you when you
join the domain.
If you use that option, your keytab file will probably only have des
entries in it from when you joined and only des-cbc-crc and des-cbc-md5
were allowed.

You can generate a new set of keys with this command
    net ads changetrustpw
Or you can delete the computer account on the domain controller,
delete the existing keytab entries (or the keytab file if no other
keys are present), and rejoin the domain.
I got leary of changetrustpw because sometimes it would hang in
the kerberos libraries in version krb5 1.3.4 if one ran the command
several times in a short period of time.  Once was always OK.
FWIW I believe it hangs trying to delete older key versions that
are still current and in use.

If you don't use that option and you manually created the keytab entry
with ktpass.exe, then you'd know if you used
  /DesOnly
and if you did, you'd need to cut a new keytab that wasn't des only.

Any way you edit or update, there is caching of tickets going on.
I remember after one long night of updating kerberos and rejoining the
domain, nothing worked.  The machine beat me.  Next day I thought
lets try it one more time.  Worked like a charm without modification.
Kerberos hammered home the lesson that patience is a virtue.
Never did come up with a deterministic method to compute the time
to outlive the cache.  Don't know if it's cached in samba secrets
or the windows domain controller.

Luck, Doug

More information about the samba mailing list