Bug 188014
| Summary: | [kerberos] FreeBSD 10 Looping detected inside krb5_get_in_tkt | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Александр <maodzedun> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Open --- | ||
| Severity: | Affects Only Me | CC: | forumforeign, nteruptedservice |
| Priority: | Normal | ||
| Version: | 10.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-amd64->freebsd-bugs reclassify. I have found a workaround to solve this issue: rebuild samba with port-based kerberos (security/krb5). So, this issue apeares only on FreeBSD 10.x with system kerberos and samba 3.6. On samba 4.x with system kerberos this issue doesn't apear. For bugs matching the following conditions: - Status == In Progress - Assignee == "bugs@FreeBSD.org" - Last Modified Year <= 2017 Do - Set Status to "Open" |
âÙÌ ÒÅÌÉÚ 9.1! ïÂÎÏ×ÉÌÓÑ ÞÅÒÅÚ freebsd-update ÄÏ 9.2 - ÐÏÌÅÔ ÎÏÒÍÁÌØÎÙÊ! ðÏÓÌÅ ÏÂÎÏ×ÉÌÓÑ ÄÏ 10 ÒÅÌÉÚÁ! ðÏÓÌÅ ÏÂÎÏ×ÌÅÎÉÑ ÐÅÒÅÓÂÏÒËÁ ÍÉÒÁ ÑÄÒÁ É ×ÓÅÈ ÐÁËÅÔÏ×! íÅÒÖÅÍÁÓÔÅÒ É ÔÁË ÄÁÌÅÅ! úÁÍÅÎÁ BIND ÎÁ UNBOUND! ÷ÓÅ ÓÅÒ×ÉÓÙ ÒÁÂÏÔÁÀÔ! ïÛÉÂÏË ÎÅÔ! ëÒÏÍÅ ÔÏÇÏ ÞÔÏ ÐÅÒÅÓÔÁÌÁ ÒÁÂÏÔÁÔØ Ó×ÑÚØ Ó ÄÏÍÅÎÏÍ Windows 2008 ! ëÏÎÆÉÇ ÓÁÍÂÙ ÎÅ ÍÅÎÑÌÓÑ, ËÅÒÂÅÒÏÓÁ ÔÏÖÅ! ÷ ÌÏÇÉ ÏÛÉÂËÉ Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260, 0] libads/kerberos_util.c:101(ads_kinit_password) Mar 27 10:35:00 proxy winbindd[66318]: kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt ╼ wbinfo -p Ping to winbindd succeeded kinit É klist ÐÏÒÑÄÏË! ÂÉÌÅÔÙ ×ÙÄÁÀÔÓÑ! ╼ net ads info LDAP server: 10.11.12.8 LDAP server name: DCO.domain.local Realm: DOMAIN.LOCAL Bind Path: dc=DOMAIN,dc=LOCAL LDAP port: 389 Server time: ÞÔ, 27 ÍÁÒ 2014 10:43:44 EET KDC server: 10.11.12.8 Server time offset: -19 net ads lookup Information for Domain Controller: 172.16.16.2 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: 79c2a975-f915-4845-88ce-36f0994aff2e Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS: yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable: yes Has a hardware clock: yes Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets: no Is NT6 DC that has all secrets: yes Forest: domain.local Domain: domain.local Domain Controller: pdc.domain.local Pre-Win2k Domain: DOMAIN Pre-Win2k Hostname: PDC Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: ffff LM20 Token: ffff á ÄÁÌÅÅ ÍÉÓÔÉËÁ wbinfo -u -g - ÐÕÓÔÏ ╼ net ads testjoin kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt Join to domain is not valid: Undetermined error ╼ net ads join -U kobzar Enter kobzar's password: kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt [✗][proxy][/usr/ports/security/krb5] ╼ net ads join -U kobzar@DOMAIN.LOCAL Enter kobzar@JSP.LOCAL's password: kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt ╼ pkg version|grep samba samba36-3.6.23 ╼ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = no dns_lookup_kdc = no ticket_lifetime = 24h default_keytab_name = /usr/local/etc/squid/squid.keytab default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] JSP.LOCAL = { kdc = dco.domain.local admin_server = dco.domain.local default_domain = dco.domain.local } [domain_realm] .domain.local = JSP.LOCAL domain.local = JSP.LOCAL ╼ cat /usr/local/etc/smb.conf #======================= Global Settings ===================================== [global] workgroup = DOMAIN netbios name = proxy server string = Proxy Server security = ADS auth methods = winbind password server = domain.local realm = DOMAIN.LOCAL local master = no domain master = no preferred master = no dns proxy = yes map to guest = Bad User wins support = no client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 50 client signing = Yes disable spoolss = Yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = Yes inherit acls = Yes hosts allow = 10.11.12., 172.16.16., 127. map acl inherit = Yes case sensitive = No nt acl support = yes os level = 10 socket options = TCP_NODELAY load printers = no # Charset settings display charset = utf-8 unix charset = utf-8 dos charset = cp866 encrypt passwords = yes winbind separator = / load printers = no [Work] comment = Work path = /home/Work admin users = "@DOMAIN+áÄÍÉÎÉÓÔÒÁÔÏÒÙ\ ÄÏÍÅÎÁ", "@DOMAIN\kobzar" browseable = yes writable = yes create mask = 0660 directory mask = 0770 inherit acls = yes inherit owner = yes inherit permissions = yes map acl inherit = yes locking = no Fix: òÅÛÅÎÉÑ ÎÅÔ! ÷ ÉÎÔÅÒÎÅÔÅ ÌÉÛØ ÐÏÈÏÖÉÅ ÓÏÏÂÝÅÎÉÑ - ÎÅÔ ÒÅÛÅÎÉÑ How-To-Repeat: ïÛÉÂËÁ ÐÏÓÔÏÑÎÎÁ