Bug 10093 - unable to joing to an ads domain, kinit failing with "looping detected"
Summary: unable to joing to an ads domain, kinit failing with "looping detected"
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.6.17
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-08-17 22:01 UTC by drookie
Modified: 2014-11-25 07:56 UTC (History)
2 users (show)

See Also:

the tcpdump capture for the kerberos exchange (912 bytes, application/octet-stream)
2013-08-17 22:01 UTC, drookie
no flags Details
"net -d 10 ads join -U dca" logfile (98.58 KB, text/plain)
2013-08-17 22:02 UTC, drookie
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description drookie 2013-08-17 22:01:23 UTC
Created attachment 9140 [details]
the tcpdump capture for the kerberos exchange

Samba 3.6.17 from FreeBSD ports.

unable to joing to an ads domain, kinit failing with "looping detected".
system kinit does work though:

[emz@crystal-omega:~]# kinit emz
emz@NORMA.COM's Password:
[emz@crystal-omega:~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: emz@NORMA.COM

  Issued                Expires               Principal
Aug 18 03:59:19 2013  Aug 18 12:59:19 2013  krbtgt/NORMA.COM@NORMA.COM

The attached tcpdump capture shows that the real error is error_code: KRB5KDC_ERR_PREAUTH_REQUIRED.

I can confirm that this is sometimes working, I was able to join the same domain another machine, this the same FreeBSD version (less recent 10.0 though; the only meaningful difference can be the kerberos version, but I checked, they are the same), exactly same package versions, and net ads join working under same credentials. On the target machine this is 100% reprodicible, 100% not working.

The attached files are:
- tcpdump capture showing the exchange on port 88 with a KDC.
- the "net -d 10 ads -U dca" log file.
Comment 1 drookie 2013-08-17 22:02:02 UTC
Created attachment 9141 [details]
"net -d 10 ads join -U dca" logfile
Comment 2 drookie 2013-08-17 22:04:22 UTC
Yeah, my krb5.conf and my smb.conf files:

    default_realm = NORMA.COM

    NORMA.COM = {
        kdc = tcp/hq-gc.norma.com

    .kerberos.server = NORMA.COM

    default = SYSLOG:INFO
    kdc = FILE:/var/log/kdc.log

workgroup = SOFTLAB
machine password timeout = 0
netbios name = CRYSTAL-OMEGA
server string = CRYSTAL-OMEGA/Samba 3.6.17 on FreeBSD 10.0-CURRENT
hosts allow = 192.168. 127. 172.16.
guest account = pcguest
map to guest = bad user
log file = /var/log/samba/log.%m
encrypt passwords = yes
socket options = TCP_NODELAY
dns proxy = no
local master = no
os level = 32
interfaces = vlan1 lo0
bind interfaces only = yes
log level = 0
syslog = 11
deadtime = 15
wins server =
printcap name = cups
printing = BSD
unix charset = KOI8-R
dos charset = 866
cups server =

host msdfs = no

dos filemode = yes
map acl inherit = yes

security = ads
realm = norma.com
#client ldap sasl wrapping = sign
#ldap ssl ads = yes

password server = hq-gc.norma.com

idmap config * : backend = tdb
idmap config * : range = 20000-30000

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
encrypt passwords = yes
template shell = /sbin/nologin
template homedir = /home/%U
Comment 3 drookie 2013-11-18 11:43:27 UTC
Weird, but after removing 'wins server' I was able to join a domain, and winbind is functional.
Comment 4 drookie 2013-11-18 11:57:01 UTC
Discard my last comment, this seems to be more related to the number of kerberos servers in samba krb5.conf.

With more than one server samba is unable to join, but when for some reason only one server is used in krb5.conf created by samba, samba is able to join without looping.
Comment 5 skeletor 2014-11-25 07:56:28 UTC
I have found a workaround to solve this issue: rebuild samba with port-based kerberos (security/krb5). So, this issue apeares only on FreeBSD 10.x with system kerberos and samba 3.6. On samba 4.x with system kerberos this issue doesn't apear.