samba - May 2024 - Samba AD not listening on ipv4 - 464/tcp

Hello

I'm not able to connect to Samba AD domain by realm. 

sudo realm join OFFICE.COMPANY.COM -U administrator

Password for administrator: 
See: journalctl REALMD_OPERATION=r41422.307314
realm: Couldn't join realm: Failed to join the domain

this is in journal:

smbmem41.office.company.com realmd[211374]: adcli: joining domain
office.company.com failed: Couldn't set password for computer account:
SMBMEM41$: Cannot contact any KDC for requested realm

according to 
https://access.redhat.com/solutions/3697241
it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5)

but samba AD is listening on IPv6 localhost only

sudo ss -tulpn | grep ':464\|:88'
udp   UNCONN 0      0              0.0.0.0:88         0.0.0.0:*   
users:(("krb5kdc",pid=217785,fd=16))
udp   UNCONN 0      0                [::1]:464           [::]:*   
users:(("kdc[master]",pid=217782,fd=38))
tcp   LISTEN 0      5              0.0.0.0:88         0.0.0.0:*   
users:(("krb5kdc",pid=217785,fd=17))
tcp   LISTEN 0      10               [::1]:464           [::]:*   
users:(("kdc[master]",pid=217782,fd=37))


I'm trying to set this explicitly in
file?/var/lib/samba/private/kdc.conf by this directive
"kpasswd_listen"

[kdcdefaults]
   kdc_listen = 0.0.0.0
   kdc_tcp_listen = 0.0.0.0
   kpasswd_listen = 127.0.0.1:464 192.168.95.111:464
   kdc_ports = 88
   kdc_tcp_ports = 88

but nothing changed

when I've changed kdc_listen I can see difference by "sudo ss
-tulpn"
but no changes for kpasswd_listen

How is it possible to make it work?

Pavel

On Fri, 03 May 2024 10:11:48 +0200
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
> 
> I'm not able to connect to Samba AD domain by realm. 
> 
> sudo realm join OFFICE.COMPANY.COM -U administrator
> 
> Password for administrator: 
> See: journalctl REALMD_OPERATION=r41422.307314
> realm: Couldn't join realm: Failed to join the domain
> 
> this is in journal:
> 
> smbmem41.office.company.com realmd[211374]: adcli: joining domain
> office.company.com failed: Couldn't set password for computer
> account: SMBMEM41$: Cannot contact any KDC for requested realm
> 
> according to 
> https://access.redhat.com/solutions/3697241
> it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5)
> 
> but samba AD is listening on IPv6 localhost only
> 
> sudo ss -tulpn | grep ':464\|:88'
> udp   UNCONN 0      0              0.0.0.0:88         0.0.0.0:*
> users:(("krb5kdc",pid=217785,fd=16)) udp   UNCONN 0      0
>     [::1]:464           [::]:*
> users:(("kdc[master]",pid=217782,fd=38)) tcp   LISTEN 0      5
>       0.0.0.0:88         0.0.0.0:*
> users:(("krb5kdc",pid=217785,fd=17)) tcp   LISTEN 0      10
>     [::1]:464           [::]:*
> users:(("kdc[master]",pid=217782,fd=37)) 
> 
> 
> I'm trying to set this explicitly in
> file?/var/lib/samba/private/kdc.conf by this directive
> "kpasswd_listen"
> 
> [kdcdefaults]
>    kdc_listen = 0.0.0.0
>    kdc_tcp_listen = 0.0.0.0
>    kpasswd_listen = 127.0.0.1:464 192.168.95.111:464
>    kdc_ports = 88
>    kdc_tcp_ports = 88
> 
> but nothing changed
> 
> when I've changed kdc_listen I can see difference by "sudo ss
-tulpn"
> but no changes for kpasswd_listen
> 
> How is it possible to make it work?
> 
> Pavel
> 
Sorry, but you appear to be asking in the wrong place, realmd and adcli
are not produced by Samba

Samba uses 'net ads join' to join to an AD domain and non of my DCs
have /var/lib/samba/private/kdc.conf, so could you be using the
experimental MIT kerberos ?

What OS are you using and how have you setup smb.conf

There is also the problem of the the link you provided being behind a
registration wall that I cannot get through.

Rowland