Bug 10585 - Looping detected inside krb5_get_in_tkt when using 'net ads join'
Summary: Looping detected inside krb5_get_in_tkt when using 'net ads join'
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.6.23
Hardware: x64 FreeBSD
: P5 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-03 23:36 UTC by Craig Meinschein
Modified: 2014-06-30 14:45 UTC (History)
1 user (show)

See Also:


Attachments
Packet captures and net.core (1.00 MB, application/x-zip-compressed)
2014-05-03 23:36 UTC, Craig Meinschein
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Meinschein 2014-05-03 23:36:47 UTC
Created attachment 9897 [details]
Packet captures and net.core

Relevant details:
My AD Domain Controller is running Windows Server 2012 R2.
My FreeBSD version is 10.0-RELEASE-p2.
I installed Samba from the FreeBSD ports collection.

I'm unable to join my Samba 3.6.23 client to AD using 'net ads join -U [account]'. The output that I get is:

jabberwock# net ads join -U craigm
Enter craigm's password:
kerberos_kinit_password craigm@HOME.PFAFFLE.NET failed: Looping detected inside krb5_get_in_tkt
Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt

Interestingly it seems a computer object *is* created in AD after I do that.

I'm using Heimdal Kerberos as included in the base system of FreeBSD (not the port), and I *am* able to use 'kinit' to successfully obtain a TGT. However, I did a packet capture using Wireshark on my domain controller to see how the exchanges differed between Samba's attempt to use Kerberos and kinit in the base system and it looks to me like Samba is not doing Kerberos correctly.

When I kinit, the exchange goes something like this:
1. FreeBSD requests a TGT (w/o preauth).
2. DC responds: No, preauthentication is required.
2. FreeBSD requests a TGT (w/ preauth).
3. DC responds: No, the reply is too large for UDP.
4. FreeBSD negotiates a TCP session and requests a TGT again (w/ preauth).
5. DC returns a TGT.

When I use 'net ads join', Samba's attempt goes like this:
1. Samba requests a TGT (w/o preauth).
2. DC responds: No, preauthentication is required.
3. Samba requests a TGT (w/o preauth).
4. DC responds: No, preauthentication is required.

I also tried using kinit to get a TGT for my domain admin account and
then attempted to join to the domain using 'net ads join -k'. That
failed as well, and resulted in net crashing with the following error:

net: sha1 checksum failed
Abort (core dumped)

No computer object was created in AD when I used -k either.

I'm attaching packet captures that show the exchanges I outlined above, and the core dump from net.
Comment 1 Alexander Derevianko 2014-05-24 14:24:31 UTC
The same problem arise in my installation: recently updated from 9.2-RELEASE to
FreeBSD Lorien 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

samba/log.wb-RUSIG
[2014/05/24 18:06:01.595827,  0] libads/kerberos_util.c:101(ads_kinit_password)
  kerberos_kinit_password LORIEN$@RUSIG.RU failed: Looping detected inside krb5_get_in_tkt
[2014/05/24 18:06:22.746897,  0] rpc_client/cli_netlogon.c:690(rpccli_netlogon_set_trust_password)
  dcerpc_netr_ServerPasswordSet{2} failed: NT_STATUS_WRONG_PASSWORD
[2014/05/24 18:07:22.857812,  0] rpc_client/cli_netlogon.c:690(rpccli_netlogon_set_trust_password)
  dcerpc_netr_ServerPasswordSet{2} failed: NT_STATUS_WRONG_PASSWORD


smb.conf:
[global]
  unix extensions = no
  wide links = yes
  follow symlinks = yes
  workgroup = RUSIG             
  realm = RUSIG.RU
  netbios name = Lorien
  server string = Lorien home
  security = ADS
  auth methods = winbind
  map to guest = Bad User
  password server = 10.243.5.100
  printer admin = root 
  client NTLMv2 auth = Yes
  log file = /var/log/samba/log.%m
  max log size = 50
  client signing = Yes
  disable spoolss = Yes
  preferred master = No
  local master = No
  domain master = No
          display charset = cp1251
         unix charset = cp1251
        dos charset = cp866
  dns proxy = No
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind use default domain = Yes
  hosts allow = 10., 127.
  map acl inherit = Yes
  case sensitive = No
  hide dot files = No
  nt acl support = yes
  os level = 10
  socket options = TCP_NODELAY
  load printers = yes
  printing = cups 
  printcap name = /etc/printcap
  guest account = nobody
  guest ok = yes
#  debug level = 3 

[printers]
  comment = All Printers
  path = /var/spool/samba
  printable = Yes
  browseable = No
  use client driver = yes
  public = yes

[Eqv_Home_0]
  comment = Logic home dir
  path = /d0
  read only = No
  create mask = 0744
  directory mask = 0755

[Eqv_Home_1]
  comment = Logic home dir
  path = /d1
  read only = No
  create mask = 0744
  directory mask = 0755