Samba 4.0.6 git both DC and fileserver with openSUSE 12.3 clients Hi I'm trying to debug why logins to Linux clients are sometimes slow. Here is a login with the user steve2 requesting his (automounted) home folder: ] Kerberos: TGS-REQ authtime: 2013-05-01T20:57:27 starttime: 2013-05-01T20:57:27 endtime: 2013-05-02T06:57:27 renew till: 2013-05-02T20:57:25 Kerberos: AS-REQ steve2 at HH3.SITE from ipv4:192.168.1.21:58661 for krbtgt/HH3.SITE at HH3.SITE Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- steve2 at HH3.SITE Kerberos: Looking for ENC-TS pa-data -- steve2 at HH3.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- steve2 at HH3.SITE Kerberos: AS-REQ steve2 at HH3.SITE from ipv4:192.168.1.21:60993 for krbtgt/HH3.SITE at HH3.SITE Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- steve2 at HH3.SITE Kerberos: Looking for ENC-TS pa-data -- steve2 at HH3.SITE Kerberos: ENC-TS Pre-authentication succeeded -- steve2 at HH3.SITE using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2013-05-01T20:58:08 starttime: unset endtime: 2013-05-02T06:58:08 renew till: 2013-05-02T20:58:05 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok Kerberos: TGS-REQ CATRAL$@HH3.SITE from ipv4:192.168.1.21:45034 for cifs/hh16 at HH3.SITE [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2013-05-01T20:57:27 starttime: 2013-05-01T20:58:09 endtime: 2013-05-02T06:57:27 renew till: 2013-05-02T20:57:25 Kerberos: TGS-REQ steve2 at HH3.SITE from ipv4:192.168.1.21:45264 for cifs/hh16 at HH3.SITE [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2013-05-01T20:58:08 starttime: 2013-05-01T20:58:10 endtime: 2013-05-02T06:58:08 renew till: 2013-05-02T20:58:05 In particular, I notice that there are 2 requests to the fileserver, one from CATRAL$ (the machine key is in the keytab already) and one from steve2 who just got a ticket. Does this look OK? Do both the machine and the user need to prove themselves? Any pointers as to where I could start to look otherwise? To be fair, this only tends to happen when lots of people are logging in (it's a school where 20 kids will all log in at the same time e.g. at the start of class). Cheers, Steve