Christoph Kaegi
2005-Nov-21 15:43 UTC
[Samba] Performance Problem / failed to verify PAC server signature
Hello List We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) but authenticating against ADS. There are up to 800 concurrent users, mostly Windows XP SP3. When clients access MyDocuments, which is redirected to the Samba share, we observe several "Session Setup AndX Request"s followed by "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s The delay between the request and the negative response is negligible when less than 200 users are online. But at more than 500 concurrent users, the delay becomes something between 1 to 5 secons. This delays access to MyDocuments quite a bit, considering that there are sometimes up to 10 such requests. So I'm interested in finding the problem and fixing it. The log says: -------------------------------------- 8< -------------------------------------- [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) decode_pac_data: failed to verify PAC server signature [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED -------------------------------------- 8< -------------------------------------- Other relevant Server settings are: -------------------------------------- 8< -------------------------------------- security = ADS realm = FOO.BAR use kerberos keytab = yes workgroup = FOOBAR log file = /var/log/samba/smbd.log log level = 10 max log size = 0 socket options = TCP_NODELAY local master = no domain master = no preferred master = no domain logons = no wins support = no -------------------------------------- 8< -------------------------------------- Any hints? Thanks alot Christoph -- ---------------------------------------------------------------------- Christoph Kaegi kgc@zhwin.ch ----------------------------------------------------------------------
Guenther Deschner
2005-Nov-22 09:59 UTC
[Samba] Performance Problem / failed to verify PAC server signature
Hi, On Mon, Nov 21, 2005 at 04:42:39PM +0100, Christoph Kaegi wrote:> > Hello List > > We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) > but authenticating against ADS. > There are up to 800 concurrent users, mostly Windows XP SP3. > > When clients access MyDocuments, which is redirected to the Samba > share, we observe several > > "Session Setup AndX Request"s > > followed by > > "Session Setup AndX Response, Error: STATUS_LOGON_FAILURE"s > > The delay between the request and the negative response is negligible > when less than 200 users are online. But at more than 500 concurrent > users, the delay becomes something between 1 to 5 secons. > > This delays access to MyDocuments quite a bit, considering that > there are sometimes up to 10 such requests. > > So I'm interested in finding the problem and fixing it. > The log says: > > -------------------------------------- 8< -------------------------------------- > [2005/11/21 16:09:28, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(695) > smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type > [2005/11/21 16:09:28, 2] libads/authdata.c:check_pac_checksum(666) > check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) > [2005/11/21 16:09:28, 0] libads/authdata.c:decode_pac_data(876) > decode_pac_data: failed to verify PAC server signature > [2005/11/21 16:09:28, 3] libads/kerberos_verify.c:ads_verify_ticket(416) > ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED > -------------------------------------- 8< --------------------------------------First of all: are you sure you are running Samba 3.0.20? The PAC verification code is not in any of the 3.0.20/a/b tarball releases (just accidentially in the 3.0.20a subversion tags directory) but only in the 3.0.21 series of pre-releases/rcs. Then you most probably are forced to use DES keys when authenticating with Kerberos on your OS, right? PAC verification must then fail due to a bug in Windows (which fails to put DES-based checksum into the PAC signatures), so we can't verify the signature. What exact Kerberos library are you using (version) ? Nonetheless, failure of the PAC verification is non-critical, we just return to old behaviour and ignore the PAC again, meaning that you can ignore the error messages. Guenther -- G?nther Deschner GPG-ID: 8EE11688 Novell / SUSE LINUX gd@suse.de Samba Team gd@samba.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20051122/61e14ad1/attachment.bin