samba - Nov 2005 - Performance Problem / failed to verify PAC server signature

Hello List

We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind)
but authenticating against ADS.
There are up to 800 concurrent users, mostly Windows XP SP3.

When clients access MyDocuments, which is redirected to the Samba 
share, we observe several 

  "Session Setup AndX Request"s

followed by 

  "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s

The delay between the request and the negative response is negligible 
when less than 200 users are online. But at more than 500 concurrent
users, the delay becomes something between 1 to 5 secons.

This delays access to MyDocuments quite a bit, considering that 
there are sometimes up to 10 such requests.

So I'm interested in finding the problem and fixing it.
The log says:

-------------------------------------- 8<
--------------------------------------
[2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
  smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type
[2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
  check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196)
[2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
  decode_pac_data: failed to verify PAC server signature
[2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
  ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
-------------------------------------- 8<
--------------------------------------

Other relevant Server settings are:

-------------------------------------- 8<
--------------------------------------
security            = ADS
realm               = FOO.BAR
use kerberos keytab = yes
workgroup           = FOOBAR

log file       = /var/log/samba/smbd.log
log level      = 10
max log size   = 0
socket options = TCP_NODELAY
local master   = no
domain master  = no
preferred master = no
domain logons    = no
wins support     = no
-------------------------------------- 8<
--------------------------------------

Any hints?

Thanks alot

Christoph

-- 
----------------------------------------------------------------------
Christoph Kaegi                                           kgc@zhwin.ch
----------------------------------------------------------------------

Hi,

On Mon, Nov 21, 2005 at 04:42:39PM +0100, Christoph Kaegi
wrote:
> 
> Hello List
> 
> We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind)
> but authenticating against ADS.
> There are up to 800 concurrent users, mostly Windows XP SP3.
> 
> When clients access MyDocuments, which is redirected to the Samba 
> share, we observe several 
> 
>   "Session Setup AndX Request"s
> 
> followed by 
> 
>   "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s
> 
> The delay between the request and the negative response is negligible 
> when less than 200 users are online. But at more than 500 concurrent
> users, the delay becomes something between 1 to 5 secons.
> 
> This delays access to MyDocuments quite a bit, considering that 
> there are sometimes up to 10 such requests.
> 
> So I'm interested in finding the problem and fixing it.
> The log says:
> 
> -------------------------------------- 8<
--------------------------------------
> [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695)
>   smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption
type
> [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666)
>   check_pac_checksum: PAC Verification failed: Bad encryption type
(-1765328196)
> [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876)
>   decode_pac_data: failed to verify PAC server signature
> [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416)
>   ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED
> -------------------------------------- 8<
--------------------------------------
First of all: are you sure you are running Samba 3.0.20? The PAC
verification code is not in any of the 3.0.20/a/b tarball releases (just
accidentially in the 3.0.20a subversion tags directory) but only in the
3.0.21 series of pre-releases/rcs.

Then you most probably are forced to use DES keys when authenticating with
Kerberos on your OS, right? PAC verification must then fail due to a bug
in Windows (which fails to put DES-based checksum into the PAC
signatures), so we can't verify the signature. What exact Kerberos library
are you using (version) ?

Nonetheless, failure of the PAC verification is non-critical, we just
return to old behaviour and ignore the PAC again, meaning that you can
ignore the error messages.

Guenther
-- 
G?nther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd@suse.de
Samba Team                              gd@samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20051122/61e14ad1/attachment.bin