Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Samba 4 ADDC fails to contact KDC [Solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
eeuhln
n00b
n00b


Joined: 02 Nov 2016
Posts: 5

PostPosted: Mon Dec 05, 2016 4:51 pm    Post subject: Samba 4 ADDC fails to contact KDC [Solved] Reply with quote

Hello,

I have been configuring Samba 4.2.11 as an active directory domain controller for clients running gentoo as well as windows 8.1 and 10. I am using a BIND_DLZ backend and heimdal krb5. The exact error and command is shown below.

Code:
# kinit Administrator
Administrator@DOMAIN.LAN's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm DOMAIN.LAN


I have also tried specifying the realm manually.

Code:
# kinit Administrator@DOMAIN.LAN
Administrator@DOMAIN.LAN's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm DOMAIN.LAN


My hostnames appear to resolve properly as shown below:

Code:
# host -t SRV _kerberos._udp.domain.lan
_kerberos._udp.domain.lan has SRV record 0 100 88 samba.domain.lan.


My krb5.conf:

Code:
[logging]
   default = FILE:/var/log/krb5/libs.log
   kdc = FILE:/var/log/krb5/kdc.log
   admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
        default_realm = MINDFUL.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        kdc = samba.mindful.lan:88
        admin_server = samba.mindful.lan:749
        default_domain = mindful.lan

[domain_realm]
        .mindful.lan = MINDFUL.LAN
        .samba.mindful.lan = MINDFUL.LAN
[kdc]
        check-ticket-addresses = false


My smb.conf:

Code:
[global]
        workgroup = DOMAIN
        realm = DOMAIN.LAN
        netbios name = SAMBA
        server role = active directory domain controller
        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, smb, -dns, -nbt
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
        smb ports = 445
        log file = /var/log/samba/log.samba
        log level = 3

[netlogon]
        path = /var/lib/samba/sysvol/domain.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


Edit for clarity: my samba server's hostname is samba, and my domain does end in .lan

EDIT again: I have since confirmed that there are no reject or drop iptables rules on the machine running these services, and reverse lookups resolve correctly as shown below

Code:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT


Code:
# host 192.168.1.43
43.1.168.192.in-addr.arpa domain name pointer samba.domain.lan.


Last edited by eeuhln on Fri Dec 09, 2016 4:33 pm; edited 1 time in total
Back to top
View user's profile Send private message
eeuhln
n00b
n00b


Joined: 02 Nov 2016
Posts: 5

PostPosted: Fri Dec 09, 2016 4:32 pm    Post subject: Reply with quote

I have discovered that it definitely helps if you actually start kerberos.

Code:
# rc-update add heimdal-kdc default
# /etc/init.d/heimdal-kdc start


I am marking this solved.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum