[Samba] Performance Problem / failed to verify
PAC server signature
Doug VanLeuven
roamdad at sonic.net
Thu Nov 24 18:13:55 GMT 2005
Doug VanLeuven wrote:
> Then I converted it to your system of using a ktpass.exe generated
> keytab using rc4-hmac.
>
> Stopped samba
> edit smb.conf and remove "use kerberos keytab = yes"
> Deleted the existing computer account in AD
> Deleted the existing mapped user account in AD
> Deleted /etc/krb5.keytab
> Edit krb5.conf and add rc4-hmac as -first- enctype in list for
> default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes
> Deleted samba's private.tdb
> Deleted samba's winbindd_cache.tdb (just in case)
> Created a new windows user account to be used for mapping in ktpass.exe
> Ran ktpass.exe on domain controller with "-DesOnly"
> Read the new keytab and write /etc/krb5.conf with it
^^^^
Typo: should be /etc/krb5.keytab
> Run "net ads join"
> Ethereal trace on port 88 show rc4-hmac negotiated tickets
>
> Using a ktpass.exe generated keytab, the AD computer account and the
> AD mapped user account attribute userAccountControl must agree on the
> flag UF_USE_DES_KEY_ONLY. They either both indicate it or they
> both don't indicate it, but they can't be mixed.
>
> We'll be enjoying Thanksgiving holiday here.
> Regards, Doug
More information about the samba
mailing list