[Samba] Performance Problem / failed to verify PAC server
signature
Christoph Kaegi
kgc at zhwin.ch
Wed Nov 23 14:30:26 GMT 2005
On 22.11-10:58, Guenther Deschner wrote:
> >
> > -------------------------------------- 8< --------------------------------------
> > [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
> > smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
> > [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
> > check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
> > [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
> > decode_pac_data: failed to verify PAC server signature
> > [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
> > ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
> > -------------------------------------- 8< --------------------------------------
>
> Then you most probably are forced to use DES keys when authenticating with
> Kerberos on your OS, right? PAC verification must then fail due to a bug
> in Windows (which fails to put DES-based checksum into the PAC
> signatures), so we can't verify the signature. What exact Kerberos library
> are you using (version) ?
>
Today, I recreated the AD computer account. After issuing
the ktpass command on the domain controller, it said indeed:
"Account has been set for DES-only encryption"
Did I understand this correctly, that this is the desired behaviour?
Or should I specify -DESOnly?
--
----------------------------------------------------------------------
Christoph Kaegi kgc at zhwin.ch
----------------------------------------------------------------------
More information about the samba
mailing list