Bug 188014 - [kerberos] FreeBSD 10 Looping detected inside krb5_get_in_tkt
Summary: [kerberos] FreeBSD 10 Looping detected inside krb5_get_in_tkt
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-27 10:50 UTC by Александр
Modified: 2018-05-20 23:57 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Александр 2014-03-27 10:50:00 UTC
âÙÌ ÒÅÌÉÚ 9.1!
ïÂÎÏ×ÉÌÓÑ ÞÅÒÅÚ freebsd-update ÄÏ 9.2 - ÐÏÌÅÔ ÎÏÒÍÁÌØÎÙÊ!
ðÏÓÌÅ ÏÂÎÏ×ÉÌÓÑ ÄÏ 10 ÒÅÌÉÚÁ! 
ðÏÓÌÅ ÏÂÎÏ×ÌÅÎÉÑ ÐÅÒÅÓÂÏÒËÁ ÍÉÒÁ ÑÄÒÁ É ×ÓÅÈ ÐÁËÅÔÏ×!
íÅÒÖÅÍÁÓÔÅÒ É ÔÁË ÄÁÌÅÅ! úÁÍÅÎÁ BIND ÎÁ  UNBOUND! 
÷ÓÅ ÓÅÒ×ÉÓÙ ÒÁÂÏÔÁÀÔ! ïÛÉÂÏË ÎÅÔ! ëÒÏÍÅ ÔÏÇÏ ÞÔÏ ÐÅÒÅÓÔÁÌÁ ÒÁÂÏÔÁÔØ Ó×ÑÚØ Ó ÄÏÍÅÎÏÍ Windows 2008 ! ëÏÎÆÉÇ ÓÁÍÂÙ ÎÅ ÍÅÎÑÌÓÑ, ËÅÒÂÅÒÏÓÁ ÔÏÖÅ! 
÷ ÌÏÇÉ ÏÛÉÂËÉ 
Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260,  0] libads/kerberos_util.c:101(ads_kinit_password)
Mar 27 10:35:00 proxy winbindd[66318]:   kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt

╼ wbinfo -p
Ping to winbindd succeeded

kinit É klist ÐÏÒÑÄÏË! ÂÉÌÅÔÙ ×ÙÄÁÀÔÓÑ!

╼ net ads info
LDAP server: 10.11.12.8
LDAP server name: DCO.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: ÞÔ, 27 ÍÁÒ 2014 10:43:44 EET
KDC server: 10.11.12.8
Server time offset: -19

 net ads lookup
Information for Domain Controller: 172.16.16.2

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
        Is a PDC:                                   yes
        Is a GC of the forest:                      yes
        Is an LDAP server:                          yes
        Supports DS:                                yes
        Is running a KDC:                           yes
        Is running time services:                   yes
        Is the closest DC:                          yes
        Is writable:                                yes
        Has a hardware clock:                       yes
        Is a non-domain NC serviced by LDAP server: no
        Is NT6 DC that has some secrets:            no
        Is NT6 DC that has all secrets:             yes
Forest:                 domain.local
Domain:                 domain.local
Domain Controller:      pdc.domain.local
Pre-Win2k Domain:       DOMAIN
Pre-Win2k Hostname:     PDC
Server Site Name :              Default-First-Site-Name
Client Site Name :              Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

á ÄÁÌÅÅ ÍÉÓÔÉËÁ

wbinfo -u -g - ÐÕÓÔÏ

╼ net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error

╼ net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
[✗][proxy][/usr/ports/security/krb5]
╼ net ads join -U kobzar@DOMAIN.LOCAL
Enter kobzar@JSP.LOCAL's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt

╼ pkg version|grep samba
samba36-3.6.23                     

╼ cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = no
 dns_lookup_kdc = no
 ticket_lifetime = 24h
 default_keytab_name = /usr/local/etc/squid/squid.keytab
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
 JSP.LOCAL = {
  kdc = dco.domain.local
  admin_server = dco.domain.local
  default_domain = dco.domain.local
  }

[domain_realm]
        .domain.local = JSP.LOCAL
        domain.local = JSP.LOCAL

╼ cat /usr/local/etc/smb.conf
#======================= Global Settings =====================================
[global]
    workgroup = DOMAIN
    netbios name = proxy
    server string = Proxy Server
    security = ADS
    auth methods = winbind
    password server = domain.local
    realm = DOMAIN.LOCAL
    local master = no
    domain master = no
    preferred master = no
    dns proxy = yes
    map to guest = Bad User
    wins support = no
    client NTLMv2 auth = Yes
    log file = /var/log/samba/log.%m
    max log size = 50
    client signing = Yes
    disable spoolss = Yes
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind use default domain = Yes
    inherit acls = Yes
    hosts allow = 10.11.12., 172.16.16., 127.
    map acl inherit = Yes
    case sensitive = No
    nt acl support = yes
    os level = 10
    socket options = TCP_NODELAY
    load printers = no
# Charset settings
    display charset = utf-8
    unix charset = utf-8
    dos charset = cp866
    encrypt passwords = yes
    winbind separator = /
    load printers = no

[Work]
   comment = Work
   path = /home/Work
   admin users = "@DOMAIN+áÄÍÉÎÉÓÔÒÁÔÏÒÙ\ ÄÏÍÅÎÁ", "@DOMAIN\kobzar"
   browseable = yes
   writable = yes
   create mask = 0660
   directory mask = 0770
   inherit acls = yes
   inherit owner = yes
   inherit permissions = yes
   map acl inherit = yes
   locking = no

Fix: 

òÅÛÅÎÉÑ ÎÅÔ! ÷ ÉÎÔÅÒÎÅÔÅ ÌÉÛØ ÐÏÈÏÖÉÅ ÓÏÏÂÝÅÎÉÑ - ÎÅÔ ÒÅÛÅÎÉÑ
How-To-Repeat: ïÛÉÂËÁ ÐÏÓÔÏÑÎÎÁ
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2014-03-31 06:25:02 UTC
Responsible Changed
From-To: freebsd-amd64->freebsd-bugs

reclassify.
Comment 2 skeletor 2014-11-24 20:50:13 UTC
I have found a workaround to solve this issue: rebuild samba with port-based kerberos (security/krb5). So, this issue apeares only on FreeBSD 10.x with system kerberos and samba 3.6. On samba 4.x with system kerberos this issue doesn't apear.
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-20 23:57:18 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"