From owner-freebsd-amd64@FreeBSD.ORG Wed May 7 07:10:00 2014 Return-Path: Delivered-To: freebsd-amd64@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B605B457 for ; Wed, 7 May 2014 07:10:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 933A9E31 for ; Wed, 7 May 2014 07:10:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s477A0XZ070031 for ; Wed, 7 May 2014 07:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s477A0DO070029; Wed, 7 May 2014 07:10:00 GMT (envelope-from gnats) Resent-Date: Wed, 7 May 2014 07:10:00 GMT Resent-Message-Id: <201405070710.s477A0DO070029@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-amd64@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alex Kobzar Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8681E415 for ; Wed, 7 May 2014 07:06:41 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68640E15 for ; Wed, 7 May 2014 07:06:41 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s4776f2p015943 for ; Wed, 7 May 2014 07:06:41 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s4776fle015942; Wed, 7 May 2014 07:06:41 GMT (envelope-from nobody) Message-Id: <201405070706.s4776fle015942@cgiserv.freebsd.org> Date: Wed, 7 May 2014 07:06:41 GMT From: Alex Kobzar To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: amd64/189409: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64) X-Mailman-Approved-At: Wed, 07 May 2014 11:35:33 +0000 X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 07:10:00 -0000 >Number: 189409 >Category: amd64 >Synopsis: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 07 07:10:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Alex Kobzar >Release: FreeBSD 10.0-RELEASE-p2 >Organization: None >Environment: FreeBSD proxy 10.0-RELEASE-p2 FreeBSD 10.0-RELEASE-p2 #5: Wed May 7 08:25:45 EEST 2014 kobzar@proxy:/usr/obj/usr/src/sys/PROXY amd64 >Description: HI! First i am update my working server from 9.1 to 9.2 with freebsd-update, and all working good. Later, i updated to 10.0 and got the bug with samba + 2008 AD server. I dont changed any configs or settings. But i can't see ad users more. On logs all time i see this May 7 09:44:06 proxy winbindd[73909]: Kinit failed: Looping detected inside krb5_get_in_tkt May 7 09:44:06 proxy winbindd[73909]: [2014/05/07 09:44:06.628421, 0] libads/kerberos_util.c:101(ads_kinit_password) =================================================== I am try to install clear copy of freebsd, updated all ports, system, e.t.c Tryed use differents config for samba and kerberos - but error is no missed. So. This is my configs (working on FreeBSD 9.2 now) =================================================== └──╼ cat /etc/krb5.conf [libdefaults] default_realm = JSP.LOCAL clockskew = 600 [realms] JSP.LOCAL = { kdc = dco.jsp.local admin_server = 10.11.12.8 } [domain_realms] JSP.LOCAL = jsp.local =================================================== ┌─[✗]─[proxy]─[/home/kobzar] └──╼ kinit -p kobzar kobzar@JSP.LOCAL's Password: ┌─[proxy]─[/home/kobzar] └──╼ klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: kobzar@JSP.LOCAL Issued Expires Principal May 7 09:55:05 2014 May 7 19:55:03 2014 krbtgt/JSP.LOCAL@JSP.LOCAL =================================================== As you see, no problem with tikets. =================================================== ┌─[proxy]─[/home/kobzar] └──╼ pkg version |grep samba samba36-3.6.23 = └──╼ cat /usr/local/etc/smb.conf [global] workgroup = JSP server string = Work load printers = no encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no smb ports = 139 security = ADS realm = JSP.LOCAL idmap backend = tdb idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind nested groups = No winbind use default domain = yes passdb backend = tdbsam restrict anonymous = 2 domain master = no local master = no preferred master = no disable netbios = no dos charset = ASCII unix charset = UTF8 display charset = UTF8 ┌─[proxy]─[/home/kobzar] └──╼ wbinfo -p Ping to winbindd succeeded ┌─[proxy]─[/home/kobzar] └──╼ wbinfo -t =================================================== checking the trust secret for domain JSP via RPC calls succeeded =================================================== ┌─[✗]─[proxy]─[/home/kobzar] └──╼ wbinfo -u NO data ┌─[proxy]─[/home/kobzar] └──╼ wbinfo -g NO data =================================================== id and getent see only local users and groups =================================================== ┌─[✗]─[proxy]─[/home/kobzar] └──╼ cat /etc/nsswitch.conf group: files winbind passwd: files winbind #group: compat group_compat: nis hosts: files dns networks: files #passwd: compat passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files ┌─[proxy]─[/home/kobzar] └──╼ net ads lookup Information for Domain Controller: 10.0.0.1 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 79c2a975-f915-4845-88ce-36f0994aff2e Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Forest: jsp.local Domain: jsp.local Domain Controller: Tango.jsp.local Pre-Win2k Domain: JSP Pre-Win2k Hostname: TANGO Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff =================================================== └──╼ net ads testjoin kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt Join to domain is not valid: Undetermined error =================================================== ┌─[proxy]─[/usr/ports/security/krb5] └──╼ net ads join -U kobzar Enter kobzar's password: kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt =================================================== Please - do something. I found many people in www who have this trouble. But no one can found solution. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: