From nobody@FreeBSD.org  Wed May  7 07:06:41 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 8681E415
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 May 2014 07:06:41 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 68640E15
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 May 2014 07:06:41 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s4776f2p015943
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 7 May 2014 07:06:41 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s4776fle015942;
	Wed, 7 May 2014 07:06:41 GMT
	(envelope-from nobody)
Message-Id: <201405070706.s4776fle015942@cgiserv.freebsd.org>
Date: Wed, 7 May 2014 07:06:41 GMT
From: Alex Kobzar <maodzedun@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         189409
>Category:       kern
>Synopsis:       [kerberos] Looping detected inside krb5_get_in_tkt (FreeBSD 10 x64)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 07 07:10:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Wed May 07 15:19:29 UTC 2014
>Originator:     Alex Kobzar
>Release:        FreeBSD 10.0-RELEASE-p2
>Organization:
None
>Environment:
FreeBSD proxy 10.0-RELEASE-p2 FreeBSD 10.0-RELEASE-p2 #5: Wed May  7 08:25:45 EEST 2014     kobzar@proxy:/usr/obj/usr/src/sys/PROXY  amd64
>Description:
HI!
First i am update my working server from 9.1 to 9.2 with freebsd-update,
and all working good. Later, i updated to 10.0 and got the bug with samba
+ 2008 AD server. I dont changed any configs or settings. But i can't see
ad users more.

On logs all time i see this 

May  7 09:44:06 proxy winbindd[73909]:   Kinit failed: Looping detected inside krb5_get_in_tkt
May  7 09:44:06 proxy winbindd[73909]: [2014/05/07 09:44:06.628421,  0] libads/kerberos_util.c:101(ads_kinit_password)

===================================================

I am try to install clear copy of freebsd, updated all ports, system, e.t.c
Tryed use differents config for samba and kerberos - but error is no missed.
So. This is my configs (working on FreeBSD 9.2 now)

===================================================
&#9492;&#9472;&#9472;&#9596; cat /etc/krb5.conf
[libdefaults]
        default_realm = JSP.LOCAL
        clockskew = 600

[realms]
        JSP.LOCAL = {
                kdc = dco.jsp.local
        admin_server = 10.11.12.8
}

[domain_realms]
JSP.LOCAL = jsp.local

===================================================

&#9484;&#9472;[&#10007;]&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; kinit -p kobzar
kobzar@JSP.LOCAL's Password:
&#9484;&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: kobzar@JSP.LOCAL

  Issued                Expires               Principal
May  7 09:55:05 2014  May  7 19:55:03 2014  krbtgt/JSP.LOCAL@JSP.LOCAL
===================================================

As you see, no problem with tikets.

===================================================
&#9484;&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; pkg version |grep samba
samba36-3.6.23                     =


&#9492;&#9472;&#9472;&#9596; cat /usr/local/etc/smb.conf
[global]
workgroup = JSP
server string = Work
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = JSP.LOCAL
idmap backend = tdb
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = No
winbind use default domain = yes
passdb backend = tdbsam
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8

&#9484;&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; wbinfo -p
Ping to winbindd succeeded
&#9484;&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; wbinfo -t
===================================================

checking the trust secret for domain JSP via RPC calls succeeded

===================================================
&#9484;&#9472;[&#10007;]&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; wbinfo -u
NO data
&#9484;&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; wbinfo -g
NO data

===================================================
id and getent see only local users and groups
===================================================


&#9484;&#9472;[&#10007;]&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; cat /etc/nsswitch.conf
 
group: files winbind
passwd: files winbind
#group: compat
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files


&#9484;&#9472;[proxy]&#9472;[/home/kobzar]
&#9492;&#9472;&#9472;&#9596; net ads lookup
Information for Domain Controller: 10.0.0.1

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 79c2a975-f915-4845-88ce-36f0994aff2e
Flags:
        Is a PDC:                                   yes
        Is a GC of the forest:                      yes
        Is an LDAP server:                          yes
        Supports DS:                                yes
        Is running a KDC:                           yes
        Is running time services:                   yes
        Is the closest DC:                          yes
        Is writable:                                yes
        Has a hardware clock:                       yes
        Is a non-domain NC serviced by LDAP server: no
        Is NT6 DC that has some secrets:            no
        Is NT6 DC that has all secrets:             yes
Forest:                 jsp.local
Domain:                 jsp.local
Domain Controller:      Tango.jsp.local
Pre-Win2k Domain:       JSP
Pre-Win2k Hostname:     TANGO
Server Site Name :              Default-First-Site-Name
Client Site Name :              Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
===================================================

&#9492;&#9472;&#9472;&#9596; net ads testjoin
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
kerberos_kinit_password PROXY$@JSP.LOCAL failed: Looping detected inside krb5_get_in_tkt
Join to domain is not valid: Undetermined error
===================================================

&#9484;&#9472;[proxy]&#9472;[/usr/ports/security/krb5]
&#9492;&#9472;&#9472;&#9596; net ads join -U kobzar
Enter kobzar's password:
kerberos_kinit_password kobzar@DOMAIN.LOCAL failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt
===================================================

Please - do something. I found many people in www who have this trouble.
But no one can found solution.




>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed May 7 15:18:25 UTC 2014 
Responsible-Changed-Why:  
probably not amd64-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=189409 
>Unformatted:
