amd64/188014: FreeBSD 10 Looping detected inside krb5_get_in_tkt
áÌÅËÓÁÎÄÒ
maodzedun at gmail.com
Thu Mar 27 10:50:00 UTC 2014
>Number: 188014
>Category: amd64
>Synopsis: FreeBSD 10 Looping detected inside krb5_get_in_tkt
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-amd64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 27 10:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: áÌÅËÓÁÎÄÒ
>Release: 10.0-RELEASE
>Organization:
óÕÐÅÒÆÉÒÍÁ
>Environment:
FreeBSD proxy 10.0-RELEASE FreeBSD 10.0-RELEASE #2: Fri Mar 21 14:37:34 EET 2014 kobzar at proxy:/usr/obj/usr/src/sys/PROXY amd64
>Description:
âÙÌ ÒÅÌÉÚ 9.1!
ïÂÎÏ×ÉÌÓÑ ÞÅÒÅÚ freebsd-update ÄÏ 9.2 - ÐÏÌÅÔ ÎÏÒÍÁÌØÎÙÊ!
ðÏÓÌÅ ÏÂÎÏ×ÉÌÓÑ ÄÏ 10 ÒÅÌÉÚÁ!
ðÏÓÌÅ ÏÂÎÏ×ÌÅÎÉÑ ÐÅÒÅÓÂÏÒËÁ ÍÉÒÁ ÑÄÒÁ É ×ÓÅÈ ÐÁËÅÔÏ×!
íÅÒÖÅÍÁÓÔÅÒ É ÔÁË ÄÁÌÅÅ! úÁÍÅÎÁ BIND ÎÁ UNBOUND!
÷ÓÅ ÓÅÒ×ÉÓÙ ÒÁÂÏÔÁÀÔ! ïÛÉÂÏË ÎÅÔ! ëÒÏÍÅ ÔÏÇÏ ÞÔÏ ÐÅÒÅÓÔÁÌÁ ÒÁÂÏÔÁÔØ Ó×ÑÚØ Ó ÄÏÍÅÎÏÍ Windows 2008 ! ëÏÎÆÉÇ ÓÁÍÂÙ ÎÅ ÍÅÎÑÌÓÑ, ËÅÒÂÅÒÏÓÁ ÔÏÖÅ!
÷ ÌÏÇÉ ÏÛÉÂËÉ
Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260, 0] libads/kerberos_util.c:101(ads_kinit_password)
Mar 27 10:35:00 proxy winbindd[66318]: kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
╼ wbinfo -p
Ping to winbindd succeeded
kinit É klist ÐÏÒÑÄÏË! ÂÉÌÅÔÙ ×ÙÄÁÀÔÓÑ!
╼ net ads info
LDAP server: 10.11.12.8
LDAP server name: DCO.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: ÞÔ, 27 ÍÁÒ 2014 10:43:44 EET
KDC server: 10.11.12.8
Server time offset: -19
net ads lookup
Information for Domain Controller: 172.16.16.2
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Forest: domain.local
Domain: domain.local
Domain Controller: pdc.domain.local
Pre-Win2k Domain: DOMAIN
Pre-Win2k Hostname: PDC
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
á ÄÁÌÅÅ ÍÉÓÔÉËÁ
wbinfo -u -g - ÐÕÓÔÏ
╼ net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error
╼ net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar at DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
[✗][proxy][/usr/ports/security/krb5]
╼ net ads join -U kobzar at DOMAIN.LOCAL
Enter kobzar at JSP.LOCAL's password:
kerberos_kinit_password kobzar at DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
╼ pkg version|grep samba
samba36-3.6.23
╼ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/squid/squid.keytab
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
JSP.LOCAL = {
kdc = dco.domain.local
admin_server = dco.domain.local
default_domain = dco.domain.local
}
[domain_realm]
.domain.local = JSP.LOCAL
domain.local = JSP.LOCAL
╼ cat /usr/local/etc/smb.conf
#======================= Global Settings =====================================
[global]
workgroup = DOMAIN
netbios name = proxy
server string = Proxy Server
security = ADS
auth methods = winbind
password server = domain.local
realm = DOMAIN.LOCAL
local master = no
domain master = no
preferred master = no
dns proxy = yes
map to guest = Bad User
wins support = no
client NTLMv2 auth = Yes
log file = /var/log/samba/log.%m
max log size = 50
client signing = Yes
disable spoolss = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
inherit acls = Yes
hosts allow = 10.11.12., 172.16.16., 127.
map acl inherit = Yes
case sensitive = No
nt acl support = yes
os level = 10
socket options = TCP_NODELAY
load printers = no
# Charset settings
display charset = utf-8
unix charset = utf-8
dos charset = cp866
encrypt passwords = yes
winbind separator = /
load printers = no
[Work]
comment = Work
path = /home/Work
admin users = "@DOMAIN+áÄÍÉÎÉÓÔÒÁÔÏÒÙ\ ÄÏÍÅÎÁ", "@DOMAIN\kobzar"
browseable = yes
writable = yes
create mask = 0660
directory mask = 0770
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map acl inherit = yes
locking = no
>How-To-Repeat:
ïÛÉÂËÁ ÐÏÓÔÏÑÎÎÁ
>Fix:
òÅÛÅÎÉÑ ÎÅÔ! ÷ ÉÎÔÅÒÎÅÔÅ ÌÉÛØ ÐÏÈÏÖÉÅ ÓÏÏÂÝÅÎÉÑ - ÎÅÔ ÒÅÛÅÎÉÑ
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-amd64
mailing list