Date: Thu, 27 Mar 2014 10:47:56 GMT From: Александр <maodzedun@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: amd64/188014: FreeBSD 10 Looping detected inside krb5_get_in_tkt Message-ID: <201403271047.s2RAlu2q066532@cgiserv.freebsd.org> Resent-Message-ID: <201403271050.s2RAo01W037270@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 188014
>Category: amd64
>Synopsis: FreeBSD 10 Looping detected inside krb5_get_in_tkt
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-amd64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 27 10:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Александр
>Release: 10.0-RELEASE
>Organization:
Суперфирма
>Environment:
FreeBSD proxy 10.0-RELEASE FreeBSD 10.0-RELEASE #2: Fri Mar 21 14:37:34 EET 2014 kobzar@proxy:/usr/obj/usr/src/sys/PROXY amd64
>Description:
Был релиз 9.1!
Обновился через freebsd-update до 9.2 - полет нормальный!
После обновился до 10 релиза!
После обновления пересборка мира ядра и всех пакетов!
Мержемастер и так далее! Замена BIND на UNBOUND!
Все сервисы работают! Ошибок нет! Кроме того что перестала работать связь с доменом Windows 2008 ! Конфиг самбы не менялся, кербероса тоже!
В логи ошибки
Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260, 0] libads/kerberos_util.c:101(ads_kinit_password)
Mar 27 10:35:00 proxy winbindd[66318]: kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
──╼ wbinfo -p
Ping to winbindd succeeded
kinit и klist порядок! билеты выдаются!
└──╼ net ads info
LDAP server: 10.11.12.8
LDAP server name: DCO.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: чт, 27 мар 2014 10:43:44 EET
KDC server: 10.11.12.8
Server time offset: -19
net ads lookup
Information for Domain Controller: 172.16.16.2
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Forest: domain.local
Domain: domain.local
Domain Controller: pdc.domain.local
Pre-Win2k Domain: DOMAIN
Pre-Win2k Hostname: PDC
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
А далее мистика
wbinfo -u -g - пусто
─╼ net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error
╼ net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
┌─[✗]─[proxy]─[/usr/ports/security/krb5]
└──╼ net ads join -U kobzar@DOMAIN.LOCAL
Enter kobzar@JSP.LOCAL's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
──╼ pkg version|grep samba
samba36-3.6.23
└──╼ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/squid/squid.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
JSP.LOCAL = {
kdc = dco.domain.local
admin_server = dco.domain.local
default_domain = dco.domain.local
}
[domain_realm]
.domain.local = JSP.LOCAL
domain.local = JSP.LOCAL
└──╼ cat /usr/local/etc/smb.conf
#======================= Global Settings =====================================
[global]
workgroup = DOMAIN
netbios name = proxy
server string = Proxy Server
security = ADS
auth methods = winbind
password server = domain.local
realm = DOMAIN.LOCAL
local master = no
domain master = no
preferred master = no
dns proxy = yes
map to guest = Bad User
wins support = no
client NTLMv2 auth = Yes
log file = /var/log/samba/log.%m
max log size = 50
client signing = Yes
disable spoolss = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
inherit acls = Yes
hosts allow = 10.11.12., 172.16.16., 127.
map acl inherit = Yes
case sensitive = No
nt acl support = yes
os level = 10
socket options = TCP_NODELAY
load printers = no
# Charset settings
display charset = utf-8
unix charset = utf-8
dos charset = cp866
encrypt passwords = yes
winbind separator = /
load printers = no
[Work]
comment = Work
path = /home/Work
admin users = "@DOMAIN+Администраторы\ домена", "@DOMAIN\kobzar"
browseable = yes
writable = yes
create mask = 0660
directory mask = 0770
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map acl inherit = yes
locking = no
>How-To-Repeat:
Ошибка постоянна
>Fix:
Решения нет! В интернете лишь похожие сообщения - нет решения
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403271047.s2RAlu2q066532>