Created attachment 9140 [details] the tcpdump capture for the kerberos exchange FreeBSD 10.0-CURRENT. Samba 3.6.17 from FreeBSD ports. unable to joing to an ads domain, kinit failing with "looping detected". system kinit does work though: [emz@crystal-omega:~]# kinit emz emz@NORMA.COM's Password: [emz@crystal-omega:~]# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: emz@NORMA.COM Issued Expires Principal Aug 18 03:59:19 2013 Aug 18 12:59:19 2013 krbtgt/NORMA.COM@NORMA.COM The attached tcpdump capture shows that the real error is error_code: KRB5KDC_ERR_PREAUTH_REQUIRED. I can confirm that this is sometimes working, I was able to join the same domain another machine, this the same FreeBSD version (less recent 10.0 though; the only meaningful difference can be the kerberos version, but I checked, they are the same), exactly same package versions, and net ads join working under same credentials. On the target machine this is 100% reprodicible, 100% not working. The attached files are: - tcpdump capture showing the exchange on port 88 with a KDC. - the "net -d 10 ads -U dca" log file.
Created attachment 9141 [details] "net -d 10 ads join -U dca" logfile
Yeah, my krb5.conf and my smb.conf files: ===krb5.conf=== [libdefaults] default_realm = NORMA.COM [realms] NORMA.COM = { kdc = tcp/hq-gc.norma.com } [domain_realm] .kerberos.server = NORMA.COM [logging] default = SYSLOG:INFO kdc = FILE:/var/log/kdc.log ===krb5.conf=== ===smb.conf=== [global] workgroup = SOFTLAB machine password timeout = 0 netbios name = CRYSTAL-OMEGA server string = CRYSTAL-OMEGA/Samba 3.6.17 on FreeBSD 10.0-CURRENT hosts allow = 192.168. 127. 172.16. guest account = pcguest map to guest = bad user log file = /var/log/samba/log.%m encrypt passwords = yes socket options = TCP_NODELAY dns proxy = no local master = no os level = 32 interfaces = vlan1 lo0 bind interfaces only = yes log level = 0 syslog = 11 deadtime = 15 wins server = 192.168.3.45 printcap name = cups printing = BSD unix charset = KOI8-R dos charset = 866 cups server = 192.168.3.1 host msdfs = no dos filemode = yes map acl inherit = yes security = ads realm = norma.com #client ldap sasl wrapping = sign #ldap ssl ads = yes password server = hq-gc.norma.com idmap config * : backend = tdb idmap config * : range = 20000-30000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind separator = + encrypt passwords = yes template shell = /sbin/nologin template homedir = /home/%U ===smb.conf===
Weird, but after removing 'wins server' I was able to join a domain, and winbind is functional.
Discard my last comment, this seems to be more related to the number of kerberos servers in samba krb5.conf. With more than one server samba is unable to join, but when for some reason only one server is used in krb5.conf created by samba, samba is able to join without looping.
I have found a workaround to solve this issue: rebuild samba with port-based kerberos (security/krb5). So, this issue apeares only on FreeBSD 10.x with system kerberos and samba 3.6. On samba 4.x with system kerberos this issue doesn't apear.