From nobody@FreeBSD.org  Thu Mar 27 10:47:57 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 60E828CB
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Mar 2014 10:47:57 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 410DACEC
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Mar 2014 10:47:57 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s2RAluIW066533
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Mar 2014 10:47:56 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s2RAlu2q066532;
	Thu, 27 Mar 2014 10:47:56 GMT
	(envelope-from nobody)
Message-Id: <201403271047.s2RAlu2q066532@cgiserv.freebsd.org>
Date: Thu, 27 Mar 2014 10:47:56 GMT
From:  <maodzedun@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: FreeBSD 10  Looping detected inside krb5_get_in_tkt
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         188014
>Category:       kern
>Synopsis:       [kerberos] FreeBSD 10 Looping detected inside krb5_get_in_tkt
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 27 10:50:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Mon Mar 31 05:25:25 UTC 2014
>Originator:     
>Release:        10.0-RELEASE
>Organization:

>Environment:
FreeBSD proxy 10.0-RELEASE FreeBSD 10.0-RELEASE #2: Fri Mar 21 14:37:34 EET 2014     kobzar@proxy:/usr/obj/usr/src/sys/PROXY  amd64

>Description:
  9.1!
  freebsd-update  9.2 -  !
   10 ! 
       !
   !  BIND   UNBOUND! 
  !  !         Windows 2008 !    ,  ! 
   
Mar 27 10:35:00 proxy winbindd[66318]: [2014/03/27 10:35:00.112260,  0] libads/kerberos_util.c:101(ads_kinit_password)
Mar 27 10:35:00 proxy winbindd[66318]:   kerberos_kinit_password PROXY$@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt

&#9596; wbinfo -p
Ping to winbindd succeeded

kinit  klist !  !

&#9596; net ads info
LDAP server: 10.11.12.8
LDAP server name: DCO.domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: , 27  2014 10:43:44 EET
KDC server: 10.11.12.8
Server time offset: -19

 net ads lookup
Information for Domain Controller: 172.16.16.2

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
        Is a PDC:                                   yes
        Is a GC of the forest:                      yes
        Is an LDAP server:                          yes
        Supports DS:                                yes
        Is running a KDC:                           yes
        Is running time services:                   yes
        Is the closest DC:                          yes
        Is writable:                                yes
        Has a hardware clock:                       yes
        Is a non-domain NC serviced by LDAP server: no
        Is NT6 DC that has some secrets:            no
        Is NT6 DC that has all secrets:             yes
Forest:                 domain.local
Domain:                 domain.local
Domain Controller:      pdc.domain.local
Pre-Win2k Domain:       DOMAIN
Pre-Win2k Hostname:     PDC
Server Site Name :              Default-First-Site-Name
Client Site Name :              Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

  

wbinfo -u -g - 

&#9596; net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error

&#9596; net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
[&#10007;][proxy][/usr/ports/security/krb5]
&#9596; net ads join -U kobzar@DOMAIN.LOCAL
Enter kobzar@JSP.LOCAL's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt

&#9596; pkg version|grep samba
samba36-3.6.23                     

&#9596; cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = no
 dns_lookup_kdc = no
 ticket_lifetime = 24h
 default_keytab_name = /usr/local/etc/squid/squid.keytab
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
 JSP.LOCAL = {
  kdc = dco.domain.local
  admin_server = dco.domain.local
  default_domain = dco.domain.local
  }

[domain_realm]
        .domain.local = JSP.LOCAL
        domain.local = JSP.LOCAL

&#9596; cat /usr/local/etc/smb.conf
#======================= Global Settings =====================================
[global]
    workgroup = DOMAIN
    netbios name = proxy
    server string = Proxy Server
    security = ADS
    auth methods = winbind
    password server = domain.local
    realm = DOMAIN.LOCAL
    local master = no
    domain master = no
    preferred master = no
    dns proxy = yes
    map to guest = Bad User
    wins support = no
    client NTLMv2 auth = Yes
    log file = /var/log/samba/log.%m
    max log size = 50
    client signing = Yes
    disable spoolss = Yes
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind use default domain = Yes
    inherit acls = Yes
    hosts allow = 10.11.12., 172.16.16., 127.
    map acl inherit = Yes
    case sensitive = No
    nt acl support = yes
    os level = 10
    socket options = TCP_NODELAY
    load printers = no
# Charset settings
    display charset = utf-8
    unix charset = utf-8
    dos charset = cp866
    encrypt passwords = yes
    winbind separator = /
    load printers = no

[Work]
   comment = Work
   path = /home/Work
   admin users = "@DOMAIN+\ ", "@DOMAIN\kobzar"
   browseable = yes
   writable = yes
   create mask = 0660
   directory mask = 0770
   inherit acls = yes
   inherit owner = yes
   inherit permissions = yes
   map acl inherit = yes
   locking = no



>How-To-Repeat:
 
>Fix:
 !      -  

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Mar 31 05:25:02 UTC 2014 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=188014 
>Unformatted:
