[Samba] Performance Problem / failed to verify PAC server signature

Christoph Kaegi kgc at zhwin.ch
Wed Nov 23 13:54:36 GMT 2005 

On 23.11-02:22, Doug VanLeuven wrote:
> Well, no.  Maybe.  Yes.  Been a while since I confronted moving
> between des & arc4.
> 
> in source/libads/ldap.c
> #ifndef ENCTYPE_ARCFOUR_HMAC
>         acct_control |= UF_USE_DES_KEY_ONLY;
> #endif

I have in source/include/config.h:

  /* Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available */
  /* #undef HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */

And my MIT 1.4 says in krb5.h:

  [...]
  #define CKSUMTYPE_HMAC_SHA1_96_AES128   0x000f
  #define CKSUMTYPE_HMAC_SHA1_96_AES256   0x0010
  #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
  [...]

That last define of CKSUMTYPE_HMAC_MD5_ARCFOUR seems doesn't
look promising.

Does that mean, that my Kerberos library doesn't support
the encryption type that I need? (I checked also krb5-1.4.3, 
which has the same definition)

> 
> So my experience is if it is defined in the include file at compile
> time, all accounts are created arc4 capable.  I don't see any
> flags in the "smbd -b" build options that confirm this either way

What is an arc4 capable Unix account?

> Also, I use this samba option:
> use kerberos keytab = yes
> Which means samba creates /etc/krb5.keytab entries for you when you
> join the domain.
> If you use that option, your keytab file will probably only have des
> entries in it from when you joined and only des-cbc-crc and des-cbc-md5
> were allowed.
> 

I rejoined, deleted the AD computer account, recreated it several
times.

All funny things are happening, including:

-------------------------------------- 8< --------------------------------------
[2005/11/23 14:32:47, 0] lib/fault.c:fault_report(36)
  ===============================================================
[2005/11/23 14:32:47, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 20569 (3.0.21rc1)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2005/11/23 14:32:47, 0] lib/fault.c:fault_report(39)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2005/11/23 14:32:47, 0] lib/fault.c:fault_report(40)
  ===============================================================
[2005/11/23 14:32:47, 0] lib/util.c:smb_panic2(1554)
  PANIC: internal error
-------------------------------------- 8< --------------------------------------

after a successful join...

Chris

-- 
----------------------------------------------------------------------
Christoph Kaegi                                           kgc at zhwin.ch
----------------------------------------------------------------------

More information about the samba mailing list