Li, Ying (ESG)
2007-Aug-15 02:53 UTC
[Samba] Performance Problem / failed to verify PAC server signature
Hello, We are experiencing ADS lower performance on Samba-3.0.22 for HPUX. I did Google search, and find out one message posted at http://lists.samba.org/archive/samba/2005-November/114231.html at the earlier time.>From my observation, it seems there was a spin onreply_spnego_negotiate()/ reply_spnego_kerberos() calls that invokes register_vuid() to register uvid with different vuid# for a logon user or a client. Finally, kill the intermediate vuid by invalidate_vuid(vuid). This caused too many SMB calls on the wire(more than hundreds of SMB calls, including SMBsesssetup,SMBtcon,SMBtdis,SMBclose,SMBulogoff), but do nothing. [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(251) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2007/08/14 12:01:03, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(243) ads_secrets_verify_ticket: enc type [3] decrypted message ! ...... [2007/08/13 17:52:01, 3] libsmb/clikrb5.c:smb_krb5_verify_checksum(697) smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad encryption type [2007/08/13 17:52:01, 2] libads/authdata.c:check_pac_checksum(659) check_pac_checksum: PAC Verification failed: Bad encryption type (-1765328196) [2007/08/13 17:52:01, 0] libads/authdata.c:decode_pac_data(870) decode_pac_data: failed to verify PAC server signature [2007/08/13 17:52:01, 3] libads/kerberos_verify.c:ads_verify_ticket(416) ads_verify_ticket: failed to decode PAC_DATA: NT_STATUS_ACCESS_DENIED ...... [2007/08/14 12:01:05, 3] smbd/error.c:error_packet(142) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2007/08/14 12:01:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(558) reply_spnego_negotiate, invalidate_vuid I'm wondering whether it's an abnormal behavior, or there is a specific fix to improve performance. Could somebody look at this and help me out? Thanks. -Ying
Gerald (Jerry) Carter
2007-Aug-29 16:54 UTC
[Samba] Performance Problem / failed to verify PAC server signature
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ying,> ads_secrets_verify_ticket: enc type [3] decrypted message ! > ...... > smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: Bad > encryption type > check_pac_checksum: PAC Verification failed: Bad encryption type...> I'm wondering whether it's an abnormal behavior, or there > is a specific fix to improve performance. Could somebody look > at this and help me out?It looks like you have the DES only bit set of the machine trust account. I have this vague memory of the PAC checksum always being signed using RC4-HMAC. Do you Krb5 libs support that enc type? It doesn't appear that they do based on your logs. Or maybe the support was just not detected when Samba was compiled. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1aSvIR7qMdg1EfYRAqzCAJ99vPBHlp4GyOaXvJvwnPFgcfl6bgCgrNOC fXyRZWLFJkSZzurWhcKqrtA=rFSK -----END PGP SIGNATURE-----