amd64/189409: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64)
Alex Kobzar
maodzedun at gmail.com
Wed May 7 07:10:00 UTC 2014
>Number: 189409
>Category: amd64
>Synopsis: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-amd64
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 07 07:10:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Alex Kobzar
>Release: FreeBSD 10.0-RELEASE-p2
>Organization:
None
>Environment:
FreeBSD proxy 10.0-RELEASE-p2 FreeBSD 10.0-RELEASE-p2 #5: Wed May 7 08:25:45 EEST 2014 kobzar at proxy:/usr/obj/usr/src/sys/PROXY amd64
>Description:
HI!
First i am update my working server from 9.1 to 9.2 with freebsd-update, and all working good. Later, i updated to 10.0 and got the bug with samba + 2008 AD server. I dont changed any configs or settings. But i can't see ad users more.
On logs all time i see this
May 7 09:44:06 proxy winbindd[73909]: Kinit failed: Looping detected inside krb5_get_in_tkt
May 7 09:44:06 proxy winbindd[73909]: [2014/05/07 09:44:06.628421, 0] libads/kerberos_util.c:101(ads_kinit_password)
===================================================
I am try to install clear copy of freebsd, updated all ports, system, e.t.c
Tryed use differents config for samba and kerberos - but error is no missed.
So. This is my configs (working on FreeBSD 9.2 now)
===================================================
└──╼ cat /etc/krb5.conf
[libdefaults]
default_realm = JSP.LOCAL
clockskew = 600
[realms]
JSP.LOCAL = {
kdc = dco.jsp.local
admin_server = 10.11.12.8
}
[domain_realms]
JSP.LOCAL = jsp.local
===================================================
┌─[✗]─[proxy]─[/home/kobzar]
└──╼ kinit -p kobzar
kobzar at JSP.LOCAL's Password:
┌─[proxy]─[/home/kobzar]
└──╼ klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: kobzar at JSP.LOCAL
Issued Expires Principal
May 7 09:55:05 2014 May 7 19:55:03 2014 krbtgt/JSP.LOCAL at JSP.LOCAL
===================================================
As you see, no problem with tikets.
===================================================
┌─[proxy]─[/home/kobzar]
└──╼ pkg version |grep samba
samba36-3.6.23 =
└──╼ cat /usr/local/etc/smb.conf
[global]
workgroup = JSP
server string = Work
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = JSP.LOCAL
idmap backend = tdb
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = No
winbind use default domain = yes
passdb backend = tdbsam
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
┌─[proxy]─[/home/kobzar]
└──╼ wbinfo -p
Ping to winbindd succeeded
┌─[proxy]─[/home/kobzar]
└──╼ wbinfo -t
===================================================
checking the trust secret for domain JSP via RPC calls succeeded
===================================================
┌─[✗]─[proxy]─[/home/kobzar]
└──╼ wbinfo -u
NO data
┌─[proxy]─[/home/kobzar]
└──╼ wbinfo -g
NO data
===================================================
id and getent see only local users and groups
===================================================
┌─[✗]─[proxy]─[/home/kobzar]
└──╼ cat /etc/nsswitch.conf
group: files winbind
passwd: files winbind
#group: compat
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
┌─[proxy]─[/home/kobzar]
└──╼ net ads lookup
Information for Domain Controller: 10.0.0.1
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Forest: jsp.local
Domain: jsp.local
Domain Controller: Tango.jsp.local
Pre-Win2k Domain: JSP
Pre-Win2k Hostname: TANGO
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
===================================================
└──╼ net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error
===================================================
┌─[proxy]─[/usr/ports/security/krb5]
└──╼ net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar at DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
===================================================
Please - do something. I found many people in www who have this trouble. But no one can found solution.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-amd64
mailing list