[Samba] (Solved) Performance Problem / failed to verify PAC server signature

Christoph Kaegi kgc at zhwin.ch
Fri Nov 25 15:33:42 GMT 2005

On 24.11-01:22, Doug VanLeuven wrote:
> ktpass.exe:
>    +des (des only - default for command)
>    -des (not des only)

I tried to create keytabs for this computer account
with all possible options -DESOnly, /crypto DES-CBC-CRC,
/crypto DES-CBC-MD5.

But as I always had "use kerberos keytab = yes", I guess
samba always overwrote the host/... principal anyway.

As this PAC thingy (I still don't know what it stands for)
doesn't seem to be important, I commented out the relevant
parts in smb_krb5_verify_checksum().
Surprise: The STATUS_LOGON_FAILUREs I mentionned in my
first mail still occurred.

Then It dawned on me, that I was possibly searching in
the wrong place.

After looking at the level 10 logs some more, I
found out, that samba was unhappy over the nonexisting
machine accounts of the clients. 
(Local User Accounts here, synced by script)

Adding a machine account to my local /etc/passwd 
seems to remedy the STATUS_LOGON_FAILUREs and
the corresponding delays.

Next step will be to either sync the AD machine accounts
to my local passwd also (which is sooooo ugly!)
or getting winbind with "idmap backend = idmap_ad"
to run, which I'm not too confident about...

Thanks for taking the time to help me, Doug and Guenther.


Christoph Kaegi                                           kgc at zhwin.ch

More information about the samba mailing list