amd64/188014: FreeBSD 10 Looping detected inside krb5_get_in_tkt

áÌÅËÓÁÎÄÒ maodzedun at gmail.com
Thu Mar 27 10:50:00 UTC 2014


>Number:         188014
>Category:       amd64
>Synopsis:       FreeBSD 10  Looping detected inside krb5_get_in_tkt
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 27 10:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     áÌÅËÓÁÎÄÒ
>Release:        10.0-RELEASE
>Organization:
óÕÐÅÒÆÉÒÍÁ
>Environment:
FreeBSD proxy 10.0-RELEASE FreeBSD 10.0-RELEASE #2: Fri Mar 21 14:37:34 EET 2014     kobzar at proxy:/usr/obj/usr/src/sys/PROXY  amd64

>Description:
âÙÌ ÒÅÌÉÚ 9.1!
ïÂÎÏ×ÉÌÓÑ ÞÅÒÅÚ freebsd-update ÄÏ 9.2 - ÐÏÌÅÔ ÎÏÒÍÁÌØÎÙÊ!
ðÏÓÌÅ ÏÂÎÏ×ÉÌÓÑ ÄÏ 10 ÒÅÌÉÚÁ! 
ðÏÓÌÅ ÏÂÎÏ×ÌÅÎÉÑ ÐÅÒÅÓÂÏÒËÁ ÍÉÒÁ ÑÄÒÁ É ×ÓÅÈ ÐÁËÅÔÏ×!
íÅÒÖÅÍÁÓÔÅÒ É ÔÁË ÄÁÌÅÅ! úÁÍÅÎÁ BIND ÎÁ  UNBOUND! 
÷ÓÅ ÓÅÒ×ÉÓÙ ÒÁÂÏÔÁÀÔ! ïÛÉÂÏË ÎÅÔ! ëÒÏÍÅ ÔÏÇÏ ÞÔÏ ÐÅÒÅÓÔÁÌÁ ÒÁÂÏÔÁÔØ Ó×ÑÚØ Ó ÄÏÍÅÎÏÍ Windows 2008 ! ëÏÎÆÉÇ ÓÁÍÂÙ ÎÅ ÍÅÎÑÌÓÑ, ËÅÒÂÅÒÏÓÁ ÔÏÖÅ! 
÷ ÌÏÇÉ ÏÛÉÂËÉ 
Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260,  0] libads/kerberos_util.c:101(ads_kinit_password)
Mar 27 10:35:00 proxy winbindd[66318]:   kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt

€€╼ wbinfo -p
Ping to winbindd succeeded

kinit É klist ÐÏÒÑÄÏË! ÂÉÌÅÔÙ ×ÙÄÁÀÔÓÑ!

„€€╼ net ads info
LDAP server: 10.11.12.8
LDAP server name: DCO.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: ÞÔ, 27 ÍÁÒ 2014 10:43:44 EET
KDC server: 10.11.12.8
Server time offset: -19

 net ads lookup
Information for Domain Controller: 172.16.16.2

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
        Is a PDC:                                   yes
        Is a GC of the forest:                      yes
        Is an LDAP server:                          yes
        Supports DS:                                yes
        Is running a KDC:                           yes
        Is running time services:                   yes
        Is the closest DC:                          yes
        Is writable:                                yes
        Has a hardware clock:                       yes
        Is a non-domain NC serviced by LDAP server: no
        Is NT6 DC that has some secrets:            no
        Is NT6 DC that has all secrets:             yes
Forest:                 domain.local
Domain:                 domain.local
Domain Controller:      pdc.domain.local
Pre-Win2k Domain:       DOMAIN
Pre-Win2k Hostname:     PDC
Server Site Name :              Default-First-Site-Name
Client Site Name :              Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

á ÄÁÌÅÅ ÍÉÓÔÉËÁ

wbinfo -u -g - ÐÕÓÔÏ

€╼ net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error

╼ net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar at DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
‚€[✗]€[proxy]€[/usr/ports/security/krb5]
„€€╼ net ads join -U kobzar at DOMAIN.LOCAL
Enter kobzar at JSP.LOCAL's password:
kerberos_kinit_password kobzar at DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt

€€╼ pkg version|grep samba
samba36-3.6.23                     

„€€╼ cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = no
 dns_lookup_kdc = no
 ticket_lifetime = 24h
 default_keytab_name = /usr/local/etc/squid/squid.keytab
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
 JSP.LOCAL = {
  kdc = dco.domain.local
  admin_server = dco.domain.local
  default_domain = dco.domain.local
  }

[domain_realm]
        .domain.local = JSP.LOCAL
        domain.local = JSP.LOCAL

„€€╼ cat /usr/local/etc/smb.conf
#======================= Global Settings =====================================
[global]
    workgroup = DOMAIN
    netbios name = proxy
    server string = Proxy Server
    security = ADS
    auth methods = winbind
    password server = domain.local
    realm = DOMAIN.LOCAL
    local master = no
    domain master = no
    preferred master = no
    dns proxy = yes
    map to guest = Bad User
    wins support = no
    client NTLMv2 auth = Yes
    log file = /var/log/samba/log.%m
    max log size = 50
    client signing = Yes
    disable spoolss = Yes
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind use default domain = Yes
    inherit acls = Yes
    hosts allow = 10.11.12., 172.16.16., 127.
    map acl inherit = Yes
    case sensitive = No
    nt acl support = yes
    os level = 10
    socket options = TCP_NODELAY
    load printers = no
# Charset settings
    display charset = utf-8
    unix charset = utf-8
    dos charset = cp866
    encrypt passwords = yes
    winbind separator = /
    load printers = no

[Work]
   comment = Work
   path = /home/Work
   admin users = "@DOMAIN+áÄÍÉÎÉÓÔÒÁÔÏÒÙ\ ÄÏÍÅÎÁ", "@DOMAIN\kobzar"
   browseable = yes
   writable = yes
   create mask = 0660
   directory mask = 0770
   inherit acls = yes
   inherit owner = yes
   inherit permissions = yes
   map acl inherit = yes
   locking = no



>How-To-Repeat:
ïÛÉÂËÁ ÐÏÓÔÏÑÎÎÁ
>Fix:
òÅÛÅÎÉÑ ÎÅÔ! ÷ ÉÎÔÅÒÎÅÔÅ ÌÉÛØ ÐÏÈÏÖÉÅ ÓÏÏÂÝÅÎÉÑ - ÎÅÔ ÒÅÛÅÎÉÑ

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-amd64 mailing list