Date: Thu, 27 Mar 2014 10:47:56 GMT From: Александр <maodzedun@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: amd64/188014: FreeBSD 10 Looping detected inside krb5_get_in_tkt Message-ID: <201403271047.s2RAlu2q066532@cgiserv.freebsd.org> Resent-Message-ID: <201403271050.s2RAo01W037270@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 188014 >Category: amd64 >Synopsis: FreeBSD 10 Looping detected inside krb5_get_in_tkt >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-amd64 >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Mar 27 10:50:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Александр >Release: 10.0-RELEASE >Organization: Суперфирма >Environment: FreeBSD proxy 10.0-RELEASE FreeBSD 10.0-RELEASE #2: Fri Mar 21 14:37:34 EET 2014 kobzar@proxy:/usr/obj/usr/src/sys/PROXY amd64 >Description: Был релиз 9.1! Обновился через freebsd-update до 9.2 - полет нормальный! После обновился до 10 релиза! После обновления пересборка мира ядра и всех пакетов! Мержемастер и так далее! Замена BIND на UNBOUND! Все сервисы работают! Ошибок нет! Кроме того что перестала работать связь с доменом Windows 2008 ! Конфиг самбы не менялся, кербероса тоже! В логи ошибки Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260, 0] libads/kerberos_util.c:101(ads_kinit_password) Mar 27 10:35:00 proxy winbindd[66318]: kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt ──╼ wbinfo -p Ping to winbindd succeeded kinit и klist порядок! билеты выдаются! └──╼ net ads info LDAP server: 10.11.12.8 LDAP server name: DCO.domain.local Realm: DOMAIN.LOCAL Bind Path: dc=DOMAIN,dc=LOCAL LDAP port: 389 Server time: чт, 27 мар 2014 10:43:44 EET KDC server: 10.11.12.8 Server time offset: -19 net ads lookup Information for Domain Controller: 172.16.16.2 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 79c2a975-f915-4845-88ce-36f0994aff2e Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Forest: domain.local Domain: domain.local Domain Controller: pdc.domain.local Pre-Win2k Domain: DOMAIN Pre-Win2k Hostname: PDC Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff А далее мистика wbinfo -u -g - пусто ─╼ net ads testjoin kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt Join to domain is not valid: Undetermined error ╼ net ads join -U kobzar Enter kobzar's password: kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt ┌─[✗]─[proxy]─[/usr/ports/security/krb5] └──╼ net ads join -U kobzar@DOMAIN.LOCAL Enter kobzar@JSP.LOCAL's password: kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt ──╼ pkg version|grep samba samba36-3.6.23 └──╼ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = no dns_lookup_kdc = no ticket_lifetime = 24h default_keytab_name = /usr/local/etc/squid/squid.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] JSP.LOCAL = { kdc = dco.domain.local admin_server = dco.domain.local default_domain = dco.domain.local } [domain_realm] .domain.local = JSP.LOCAL domain.local = JSP.LOCAL └──╼ cat /usr/local/etc/smb.conf #======================= Global Settings ===================================== [global] workgroup = DOMAIN netbios name = proxy server string = Proxy Server security = ADS auth methods = winbind password server = domain.local realm = DOMAIN.LOCAL local master = no domain master = no preferred master = no dns proxy = yes map to guest = Bad User wins support = no client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 50 client signing = Yes disable spoolss = Yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = Yes inherit acls = Yes hosts allow = 10.11.12., 172.16.16., 127. map acl inherit = Yes case sensitive = No nt acl support = yes os level = 10 socket options = TCP_NODELAY load printers = no # Charset settings display charset = utf-8 unix charset = utf-8 dos charset = cp866 encrypt passwords = yes winbind separator = / load printers = no [Work] comment = Work path = /home/Work admin users = "@DOMAIN+Администраторы\ домена", "@DOMAIN\kobzar" browseable = yes writable = yes create mask = 0660 directory mask = 0770 inherit acls = yes inherit owner = yes inherit permissions = yes map acl inherit = yes locking = no >How-To-Repeat: Ошибка постоянна >Fix: Решения нет! В интернете лишь похожие сообщения - нет решения >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403271047.s2RAlu2q066532>