[Samba] Performance Problem / failed to verify PAC server signature

Doug VanLeuven roamdad at sonic.net
Thu Nov 24 09:22:09 GMT 2005


Christoph Kaegi wrote:
> On 23.11-02:22, Doug VanLeuven wrote:
> 
>>Well, no.  Maybe.  Yes.  Been a while since I confronted moving
>>between des & arc4.
>>
>>in source/libads/ldap.c
>>#ifndef ENCTYPE_ARCFOUR_HMAC
>>        acct_control |= UF_USE_DES_KEY_ONLY;
>>#endif
> 
> 
> I have in source/include/config.h:
> 
>   /* Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available */
>   /* #undef HAVE_ENCTYPE_ARCFOUR_HMAC_MD5 */

Heimdal kerberos defines rc4-hmac this way.

 From MIT site:
Supported Encryption Types
arcfour-hmac
rc4-hmac
arcfour-hmac-md5
     RC4 with HMAC/MD5
These are all synonyms.

> 
> And my MIT 1.4 says in krb5.h:
> 
>   [...]
>   #define CKSUMTYPE_HMAC_SHA1_96_AES128   0x000f
>   #define CKSUMTYPE_HMAC_SHA1_96_AES256   0x0010
>   #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
>   [...]
> 
> That last define of CKSUMTYPE_HMAC_MD5_ARCFOUR seems doesn't
> look promising.

About 20 lines before that you should see
#define ENCTYPE_ARCFOUR_HMAC    0x0017
#define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018

So your compiled samba will have rc4-hmac support.

> 
> Does that mean, that my Kerberos library doesn't support
> the encryption type that I need? (I checked also krb5-1.4.3, 
> which has the same definition)
> 
> 
>>So my experience is if it is defined in the include file at compile
>>time, all accounts are created arc4 capable.  I don't see any
>>flags in the "smbd -b" build options that confirm this either way
> 
> 
> What is an arc4 capable Unix account?

Not arc4 capable Unix, arc4-hmac capable Windows computer account.
This is the default state of windows accounts and a flag is neccessary
to force des-only usage.

In Active Directory
   In domain
      wherever computer accounts get setup
         cn=<computer name>
            userAccountControl: 0x11000
               The two set bits mean:
               UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD
This account is arc4 capable.
An account that is des only has this value:
            userAccountControl: 0x211000
            UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD
            | UF_USE_DES_KEY_ONLY

userAccountControl exists in user accounts too.

ktpass.exe:
    +des (des only - default for command)
    -des (not des only)

> 
> 
>>Also, I use this samba option:
>>use kerberos keytab = yes
>>Which means samba creates /etc/krb5.keytab entries for you when you
>>join the domain.
>>If you use that option, your keytab file will probably only have des
>>entries in it from when you joined and only des-cbc-crc and des-cbc-md5
>>were allowed.
>>
> 
> 
> I rejoined, deleted the AD computer account, recreated it several
> times.
> 
> All funny things are happening, including:
> 
> -------------------------------------- 8< --------------------------------------
> [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(36)
>   ===============================================================
> [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(37)
>   INTERNAL ERROR: Signal 11 in pid 20569 (3.0.21rc1)
>   Please read the Trouble-Shooting section of the Samba3-HOWTO
> [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(39)
>   
>   From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
> [2005/11/23 14:32:47, 0] lib/fault.c:fault_report(40)
>   ===============================================================
> [2005/11/23 14:32:47, 0] lib/util.c:smb_panic2(1554)
>   PANIC: internal error
> -------------------------------------- 8< --------------------------------------
> 
> after a successful join...

Bummer, shouldn't happen.  But it could be the kerberos.

I was curious, so I dragged out an old des only machine
used in testing last year.
RH9 with a custom 1.3.5 MIT kerberos.
Ethereal traces on port 88 show machine using only des
Compiled and installed samba 3.0.21pre3 SVN 11739
Ran it in des-only mode without issue, but had no easy way to check
redirected folders.

Then I converted it to your system of using a ktpass.exe generated
keytab using rc4-hmac.

Stopped samba
edit smb.conf and remove "use kerberos keytab = yes"
Deleted the existing computer account in AD
Deleted the existing mapped user account in AD
Deleted /etc/krb5.keytab
Edit krb5.conf and add rc4-hmac as -first- enctype in list for
   default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes
Deleted samba's private.tdb
Deleted samba's winbindd_cache.tdb (just in case)
Created a new windows user account to be used for mapping in ktpass.exe
Ran ktpass.exe on domain controller with "-DesOnly"
Read the new keytab and write /etc/krb5.conf with it
Run "net ads join"
Ethereal trace on port 88 show rc4-hmac negotiated tickets

Using a ktpass.exe generated keytab, the AD computer account and the
AD mapped user account attribute userAccountControl must agree on the
flag UF_USE_DES_KEY_ONLY.  They either both indicate it or they
both don't indicate it, but they can't be mixed.

We'll be enjoying Thanksgiving holiday here.
Regards, Doug


More information about the samba mailing list