[Samba] Samba AD not listening on ipv4 - 464/tcp
Rowland Penny
rpenny at samba.org
Fri May 3 11:05:21 UTC 2024
On Fri, 03 May 2024 12:39:26 +0200
pavel.lisy at gmail.com wrote:
> On Fri, 2024-05-03 at 09:34 +0100, Rowland Penny via samba wrote:
> > On Fri, 03 May 2024 10:11:48 +0200
> > PaLi via samba <samba at lists.samba.org> wrote:
> >
> > > Hello
> > >
> > > I'm not able to connect to Samba AD domain by realm.
> > >
> > > sudo realm join OFFICE.COMPANY.COM -U administrator
> > >
> > > Password for administrator:
> > > See: journalctl REALMD_OPERATION=r41422.307314
> > > realm: Couldn't join realm: Failed to join the domain
> > >
> > > this is in journal:
> > >
> > > smbmem41.office.company.com realmd[211374]: adcli: joining domain
> > > office.company.com failed: Couldn't set password for computer
> > > account: SMBMEM41$: Cannot contact any KDC for requested realm
> > >
> > > according to
> > > https://access.redhat.com/solutions/3697241
> > > it is necessary to open ports 464/tpc, 464/udp (kpasswd5)
> > >
> > > but samba AD is listening on IPv6 localhost only
> > >
> > > sudo ss -tulpn | grep ':464\|:88'
> > > udp UNCONN 0 0 0.0.0.0:88 0.0.0.0:*
> > > users:(("krb5kdc",pid=217785,fd=16)) udp UNCONN 0 0
> > > [::1]:464 [::]:*
> > > users:(("kdc[master]",pid=217782,fd=38)) tcp LISTEN 0 5
> > > 0.0.0.0:88 0.0.0.0:*
> > > users:(("krb5kdc",pid=217785,fd=17)) tcp LISTEN 0 10
> > > [::1]:464 [::]:*
> > > users:(("kdc[master]",pid=217782,fd=37))
> > >
> > >
> > > I'm trying to set this explicitly in
> > > file /var/lib/samba/private/kdc.conf by this directive
> > > "kpasswd_listen"
> > >
> > > [kdcdefaults]
> > > kdc_listen = 0.0.0.0
> > > kdc_tcp_listen = 0.0.0.0
> > > kpasswd_listen = 127.0.0.1:464 192.168.95.111:464
> > > kdc_ports = 88
> > > kdc_tcp_ports = 88
> > >
> > > but nothing changed
> > >
> > > when I've changed kdc_listen I can see difference by "sudo ss -
> > > tulpn"
> > > but no changes for kpasswd_listen
> > >
> > > How is it possible to make it work?
> > >
> > > Pavel
> > >
> >
> > Sorry, but you appear to be asking in the wrong place, realmd and
> > adcli
> > are not produced by Samba
> >
> > Samba uses 'net ads join' to join to an AD domain and non of my DCs
> > have /var/lib/samba/private/kdc.conf, so could you be using the
> > experimental MIT kerberos ?
> Yes, you are right.
>
> I use samba packages from Fedora linux - so you advise is to ask in
> Fedora lists?
>
> release -- 2:4.19.6-1.fc39
> samba.x86_64
> samba-dc.x86_64
> samba-dc-bind-dlz.x86_64
> samba-dc-provision.noarch
> ...
>
>
> > What OS are you using and how have you setup smb.conf
> smb.conf on DC is quite simple
>
> [global]
> bind interfaces only = Yes
> interfaces = lo enp1s0
> netbios name = DC11
> realm = OFFICE.COMPANY.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = OFFICE
>
> winbind enum groups = Yes
> winbind enum users = Yes
> idmap_ldb:use rfc2307 = yes
>
> winbind use default domain = yes
> winbind nss info = template
> winbind nss info = rfc2307
>
> template homedir = /home/%U
> template shell = /bin/bash
>
>
That is for the AD DC, I take it that:
A) The DC is running on Fedora.
B) You are using Bind9 for the dns server.
Nothing wrong with 'B', but I cannot recommend using the DC in
production, it will be using MIT kerberos and, as such, it is still
marked as experimental.
However, your initial post was about joining a Unix domain member to AD,
so how have you set up the smb.conf on that (which I take it is Fedora
again).
Please just reply to the list, do not 'CC' me.
Rowland
More information about the samba
mailing list