Date: Wed, 7 May 2014 07:06:41 GMT From: Alex Kobzar <maodzedun@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: amd64/189409: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64) Message-ID: <201405070706.s4776fle015942@cgiserv.freebsd.org> Resent-Message-ID: <201405070710.s477A0DO070029@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 189409 >Category: amd64 >Synopsis: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 07 07:10:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Alex Kobzar >Release: FreeBSD 10.0-RELEASE-p2 >Organization: None >Environment: FreeBSD proxy 10.0-RELEASE-p2 FreeBSD 10.0-RELEASE-p2 #5: Wed May 7 08:25:45 EEST 2014 kobzar@proxy:/usr/obj/usr/src/sys/PROXY amd64 >Description: HI! First i am update my working server from 9.1 to 9.2 with freebsd-update, and all working good. Later, i updated to 10.0 and got the bug with samba + 2008 AD server. I dont changed any configs or settings. But i can't see ad users more. On logs all time i see this May 7 09:44:06 proxy winbindd[73909]: Kinit failed: Looping detected inside krb5_get_in_tkt May 7 09:44:06 proxy winbindd[73909]: [2014/05/07 09:44:06.628421, 0] libads/kerberos_util.c:101(ads_kinit_password) =================================================== I am try to install clear copy of freebsd, updated all ports, system, e.t.c Tryed use differents config for samba and kerberos - but error is no missed. So. This is my configs (working on FreeBSD 9.2 now) =================================================== └──╼ cat /etc/krb5.conf [libdefaults] default_realm = JSP.LOCAL clockskew = 600 [realms] JSP.LOCAL = { kdc = dco.jsp.local admin_server = 10.11.12.8 } [domain_realms] JSP.LOCAL = jsp.local =================================================== ┌─[✗]─[proxy]─[/home/kobzar] └──╼ kinit -p kobzar kobzar@JSP.LOCAL's Password: ┌─[proxy]─[/home/kobzar] └──╼ klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: kobzar@JSP.LOCAL Issued Expires Principal May 7 09:55:05 2014 May 7 19:55:03 2014 krbtgt/JSP.LOCAL@JSP.LOCAL =================================================== As you see, no problem with tikets. =================================================== ┌─[proxy]─[/home/kobzar] └──╼ pkg version |grep samba samba36-3.6.23 = └──╼ cat /usr/local/etc/smb.conf [global] workgroup = JSP server string = Work load printers = no encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no smb ports = 139 security = ADS realm = JSP.LOCAL idmap backend = tdb idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind nested groups = No winbind use default domain = yes passdb backend = tdbsam restrict anonymous = 2 domain master = no local master = no preferred master = no disable netbios = no dos charset = ASCII unix charset = UTF8 display charset = UTF8 ┌─[proxy]─[/home/kobzar] └──╼ wbinfo -p Ping to winbindd succeeded ┌─[proxy]─[/home/kobzar] └──╼ wbinfo -t =================================================== checking the trust secret for domain JSP via RPC calls succeeded =================================================== ┌─[✗]─[proxy]─[/home/kobzar] └──╼ wbinfo -u NO data ┌─[proxy]─[/home/kobzar] └──╼ wbinfo -g NO data =================================================== id and getent see only local users and groups =================================================== ┌─[✗]─[proxy]─[/home/kobzar] └──╼ cat /etc/nsswitch.conf group: files winbind passwd: files winbind #group: compat group_compat: nis hosts: files dns networks: files #passwd: compat passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files ┌─[proxy]─[/home/kobzar] └──╼ net ads lookup Information for Domain Controller: 10.0.0.1 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 79c2a975-f915-4845-88ce-36f0994aff2e Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Forest: jsp.local Domain: jsp.local Domain Controller: Tango.jsp.local Pre-Win2k Domain: JSP Pre-Win2k Hostname: TANGO Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff =================================================== └──╼ net ads testjoin kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt Join to domain is not valid: Undetermined error =================================================== ┌─[proxy]─[/usr/ports/security/krb5] └──╼ net ads join -U kobzar Enter kobzar's password: kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt =================================================== Please - do something. I found many people in www who have this trouble. But no one can found solution. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405070706.s4776fle015942>