Created attachment 9897 [details] Packet captures and net.core Relevant details: My AD Domain Controller is running Windows Server 2012 R2. My FreeBSD version is 10.0-RELEASE-p2. I installed Samba from the FreeBSD ports collection. I'm unable to join my Samba 3.6.23 client to AD using 'net ads join -U [account]'. The output that I get is: jabberwock# net ads join -U craigm Enter craigm's password: kerberos_kinit_password craigm@HOME.PFAFFLE.NET failed: Looping detected inside krb5_get_in_tkt Failed to join domain: failed to connect to AD: Looping detected inside krb5_get_in_tkt Interestingly it seems a computer object *is* created in AD after I do that. I'm using Heimdal Kerberos as included in the base system of FreeBSD (not the port), and I *am* able to use 'kinit' to successfully obtain a TGT. However, I did a packet capture using Wireshark on my domain controller to see how the exchanges differed between Samba's attempt to use Kerberos and kinit in the base system and it looks to me like Samba is not doing Kerberos correctly. When I kinit, the exchange goes something like this: 1. FreeBSD requests a TGT (w/o preauth). 2. DC responds: No, preauthentication is required. 2. FreeBSD requests a TGT (w/ preauth). 3. DC responds: No, the reply is too large for UDP. 4. FreeBSD negotiates a TCP session and requests a TGT again (w/ preauth). 5. DC returns a TGT. When I use 'net ads join', Samba's attempt goes like this: 1. Samba requests a TGT (w/o preauth). 2. DC responds: No, preauthentication is required. 3. Samba requests a TGT (w/o preauth). 4. DC responds: No, preauthentication is required. I also tried using kinit to get a TGT for my domain admin account and then attempted to join to the domain using 'net ads join -k'. That failed as well, and resulted in net crashing with the following error: net: sha1 checksum failed Abort (core dumped) No computer object was created in AD when I used -k either. I'm attaching packet captures that show the exchanges I outlined above, and the core dump from net.
The same problem arise in my installation: recently updated from 9.2-RELEASE to FreeBSD Lorien 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 samba/log.wb-RUSIG [2014/05/24 18:06:01.595827, 0] libads/kerberos_util.c:101(ads_kinit_password) kerberos_kinit_password LORIEN$@RUSIG.RU failed: Looping detected inside krb5_get_in_tkt [2014/05/24 18:06:22.746897, 0] rpc_client/cli_netlogon.c:690(rpccli_netlogon_set_trust_password) dcerpc_netr_ServerPasswordSet{2} failed: NT_STATUS_WRONG_PASSWORD [2014/05/24 18:07:22.857812, 0] rpc_client/cli_netlogon.c:690(rpccli_netlogon_set_trust_password) dcerpc_netr_ServerPasswordSet{2} failed: NT_STATUS_WRONG_PASSWORD smb.conf: [global] unix extensions = no wide links = yes follow symlinks = yes workgroup = RUSIG realm = RUSIG.RU netbios name = Lorien server string = Lorien home security = ADS auth methods = winbind map to guest = Bad User password server = 10.243.5.100 printer admin = root client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 50 client signing = Yes disable spoolss = Yes preferred master = No local master = No domain master = No display charset = cp1251 unix charset = cp1251 dos charset = cp866 dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = Yes hosts allow = 10., 127. map acl inherit = Yes case sensitive = No hide dot files = No nt acl support = yes os level = 10 socket options = TCP_NODELAY load printers = yes printing = cups printcap name = /etc/printcap guest account = nobody guest ok = yes # debug level = 3 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No use client driver = yes public = yes [Eqv_Home_0] comment = Logic home dir path = /d0 read only = No create mask = 0744 directory mask = 0755 [Eqv_Home_1] comment = Logic home dir path = /d1 read only = No create mask = 0744 directory mask = 0755