[Samba] Performance Problem / failed to verify PAC server signature

Doug VanLeuven roamdad at sonic.net
Thu Nov 24 18:13:55 GMT 2005

Doug VanLeuven wrote:
> Then I converted it to your system of using a ktpass.exe generated
> keytab using rc4-hmac.
> Stopped samba
> edit smb.conf and remove "use kerberos keytab = yes"
> Deleted the existing computer account in AD
> Deleted the existing mapped user account in AD
> Deleted /etc/krb5.keytab
> Edit krb5.conf and add rc4-hmac as -first- enctype in list for
>   default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes
> Deleted samba's private.tdb
> Deleted samba's winbindd_cache.tdb (just in case)
> Created a new windows user account to be used for mapping in ktpass.exe
> Ran ktpass.exe on domain controller with "-DesOnly"
> Read the new keytab and write /etc/krb5.conf with it
Typo: should be /etc/krb5.keytab

> Run "net ads join"
> Ethereal trace on port 88 show rc4-hmac negotiated tickets
> Using a ktpass.exe generated keytab, the AD computer account and the
> AD mapped user account attribute userAccountControl must agree on the
> flag UF_USE_DES_KEY_ONLY.  They either both indicate it or they
> both don't indicate it, but they can't be mixed.
> We'll be enjoying Thanksgiving holiday here.
> Regards, Doug

More information about the samba mailing list