[Samba] Samba AD not listening on ipv4 - 464/tcp

pavel.lisy at gmail.com pavel.lisy at gmail.com
Fri May 3 10:39:26 UTC 2024 

On Fri, 2024-05-03 at 09:34 +0100, Rowland Penny via samba wrote:
> On Fri, 03 May 2024 10:11:48 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > Hello
> > 
> > I'm not able to connect to Samba AD domain by realm. 
> > 
> > sudo realm join OFFICE.COMPANY.COM -U administrator
> > 
> > Password for administrator: 
> > See: journalctl REALMD_OPERATION=r41422.307314
> > realm: Couldn't join realm: Failed to join the domain
> > 
> > this is in journal:
> > 
> > smbmem41.office.company.com realmd[211374]: adcli: joining domain
> > office.company.com failed: Couldn't set password for computer
> > account: SMBMEM41$: Cannot contact any KDC for requested realm
> > 
> > according to 
> > https://access.redhat.com/solutions/3697241
> > it is necessary to open ports 464/tpc,  464/udp  (kpasswd5)
> > 
> > but samba AD is listening on IPv6 localhost only
> > 
> > sudo ss -tulpn | grep ':464\|:88'
> > udp   UNCONN 0      0              0.0.0.0:88         0.0.0.0:*
> > users:(("krb5kdc",pid=217785,fd=16)) udp   UNCONN 0      0
> >     [::1]:464           [::]:*
> > users:(("kdc[master]",pid=217782,fd=38)) tcp   LISTEN 0      5
> >       0.0.0.0:88         0.0.0.0:*
> > users:(("krb5kdc",pid=217785,fd=17)) tcp   LISTEN 0      10
> >     [::1]:464           [::]:*
> > users:(("kdc[master]",pid=217782,fd=37)) 
> > 
> > 
> > I'm trying to set this explicitly in
> > file /var/lib/samba/private/kdc.conf by this directive
> > "kpasswd_listen"
> > 
> > [kdcdefaults]
> >    kdc_listen = 0.0.0.0
> >    kdc_tcp_listen = 0.0.0.0
> >    kpasswd_listen = 127.0.0.1:464 192.168.95.111:464
> >    kdc_ports = 88
> >    kdc_tcp_ports = 88
> > 
> > but nothing changed
> > 
> > when I've changed kdc_listen I can see difference by "sudo ss -
> > tulpn"
> > but no changes for kpasswd_listen
> > 
> > How is it possible to make it work?
> > 
> > Pavel
> > 
> 
> Sorry, but you appear to be asking in the wrong place, realmd and
> adcli
> are not produced by Samba
> 
> Samba uses 'net ads join' to join to an AD domain and non of my DCs
> have /var/lib/samba/private/kdc.conf, so could you be using the
> experimental MIT kerberos ?
Yes, you are right. 

I use samba packages from Fedora linux - so you advise is to ask in
Fedora lists?

release -- 2:4.19.6-1.fc39
samba.x86_64
samba-dc.x86_64
samba-dc-bind-dlz.x86_64
samba-dc-provision.noarch
...


> What OS are you using and how have you setup smb.conf
smb.conf on DC is quite simple

[global]
        bind interfaces only = Yes
        interfaces = lo enp1s0
        netbios name = DC11
        realm = OFFICE.COMPANY.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = OFFICE

        winbind enum groups = Yes
        winbind enum users = Yes
        idmap_ldb:use rfc2307 = yes

        winbind use default domain = yes
        winbind nss info = template
        winbind nss info = rfc2307

        template homedir = /home/%U
        template shell = /bin/bash



> 
> There is also the problem of the the link you provided being behind a
> registration wall that I cannot get through.
Sorry, relevant parts are error message and diagnostic steps (see
bellow Quotation:)
After their suggestion I wanted to enable listening on port 464, but it
is listening only on localhost IPv6 no matter what is in config file
/var/lib/samba/private/kdc.conf.

tests on my DC:
 $ sudo nmap -sT -sU -p 464 -6 ::1

PORT    STATE         SERVICE
464/tcp open          kpasswd5
464/udp open|filtered kpasswd5

$ sudo nmap -sT -sU -p 464 127.0.0.1

PORT    STATE  SERVICE
464/tcp closed kpasswd5
464/udp closed kpasswd5


Quotation:
   Issue When attempting to join a RHEL server to an Active Directory domain, we
receive an error that the password for the computer account could not
be set:
Raw [1]
# adcli join example.com -U Administrator at EXAMPLE.COM ... * Found computer account for <HostName>$ at: CN=<HostName>,OU=Servers,DC=example,DC=com ! Couldn't set password for computer account: <HostName>$: Cannot contact any KDC for requested realm adcli: joining domain example.com failed: Couldn't set password for computer account: <HostName>$: Cannot contact any KDC for requested real
   Resolution The port required to make password changes on a KDC is closed. You will
have to open UDP/TCP 464 (Kerberos Password Change requests) ports to
allow the adding of computer account.
You can read more about this in this Microsoft article: Conditions for
Kerberos to be used over an External Trust [2]
   Root Cause The port 464 udp/tcp are closed. This is not well documented, but they
are required for password management. For more information refer to
Technologies for Federating Multiple Forests [3]

 Diagnostic Steps An nmap scan of both the tcp and udp ports will fail.
Raw [1]
# nmap -sT -sU -p 464 AD.EXAMPLE.COM ... PORT STATE SERVICE 464/tcp closed kpasswd5 464/udp closed kpasswd5 ...
  

[1] Raw https://access.redhat.com/solutions/3697241#
[2] Conditions for Kerberos to be used over an External Trust
    https://access.redhat.com/bounce/?externalURL=https%3A%2F%2Fblogs.technet.microsoft.com%2Factivedirectoryua%2F2010%2F08%2F04%2Fconditions-for-kerberos-to-be-used-over-an-external-trust%2F
[3] Technologies for Federating Multiple Forests
    https://access.redhat.com/bounce/?externalURL=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2003%2Fdd560679%28v%3Dws.10%29

More information about the samba mailing list