samba - May 2024 - Samba AD not listening on ipv4 - 464/tcp

On Fri, 03 May 2024 10:11:48 +0200
PaLi via samba <samba at lists.samba.org> wrote:
> Hello
> 
> I'm not able to connect to Samba AD domain by realm. 
> 
> sudo realm join OFFICE.COMPANY.COM -U administrator
> 
> Password for administrator: 
> See: journalctl REALMD_OPERATION=r41422.307314
> realm: Couldn't join realm: Failed to join the domain
> 
> this is in journal:
> 
> smbmem41.office.company.com realmd[211374]: adcli: joining domain
> office.company.com failed: Couldn't set password for computer
> account: SMBMEM41$: Cannot contact any KDC for requested realm
> 
> according to 
> https://access.redhat.com/solutions/3697241
> it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5)
> 
> but samba AD is listening on IPv6 localhost only
> 
> sudo ss -tulpn | grep ':464\|:88'
> udp   UNCONN 0      0              0.0.0.0:88         0.0.0.0:*
> users:(("krb5kdc",pid=217785,fd=16)) udp   UNCONN 0      0
>     [::1]:464           [::]:*
> users:(("kdc[master]",pid=217782,fd=38)) tcp   LISTEN 0      5
>       0.0.0.0:88         0.0.0.0:*
> users:(("krb5kdc",pid=217785,fd=17)) tcp   LISTEN 0      10
>     [::1]:464           [::]:*
> users:(("kdc[master]",pid=217782,fd=37)) 
> 
> 
> I'm trying to set this explicitly in
> file?/var/lib/samba/private/kdc.conf by this directive
> "kpasswd_listen"
> 
> [kdcdefaults]
>    kdc_listen = 0.0.0.0
>    kdc_tcp_listen = 0.0.0.0
>    kpasswd_listen = 127.0.0.1:464 192.168.95.111:464
>    kdc_ports = 88
>    kdc_tcp_ports = 88
> 
> but nothing changed
> 
> when I've changed kdc_listen I can see difference by "sudo ss
-tulpn"
> but no changes for kpasswd_listen
> 
> How is it possible to make it work?
> 
> Pavel
> 
Sorry, but you appear to be asking in the wrong place, realmd and adcli
are not produced by Samba

Samba uses 'net ads join' to join to an AD domain and non of my DCs
have /var/lib/samba/private/kdc.conf, so could you be using the
experimental MIT kerberos ?

What OS are you using and how have you setup smb.conf

There is also the problem of the the link you provided being behind a
registration wall that I cannot get through.

Rowland

On Fri, 2024-05-03 at 09:34 +0100, Rowland Penny via samba
wrote:
> On Fri, 03 May 2024 10:11:48 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > Hello
> > 
> > I'm not able to connect to Samba AD domain by realm. 
> > 
> > sudo realm join OFFICE.COMPANY.COM -U administrator
> > 
> > Password for administrator: 
> > See: journalctl REALMD_OPERATION=r41422.307314
> > realm: Couldn't join realm: Failed to join the domain
> > 
> > this is in journal:
> > 
> > smbmem41.office.company.com realmd[211374]: adcli: joining domain
> > office.company.com failed: Couldn't set password for computer
> > account: SMBMEM41$: Cannot contact any KDC for requested realm
> > 
> > according to 
> > https://access.redhat.com/solutions/3697241
> > it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5)
> > 
> > but samba AD is listening on IPv6 localhost only
> > 
> > sudo ss -tulpn | grep ':464\|:88'
> > udp?? UNCONN 0????? 0????????????? 0.0.0.0:88???????? 0.0.0.0:*
> > users:(("krb5kdc",pid=217785,fd=16)) udp?? UNCONN 0????? 0
> > ??? [::1]:464?????????? [::]:*
> > users:(("kdc[master]",pid=217782,fd=38)) tcp?? LISTEN 0?????
5
> > ????? 0.0.0.0:88???????? 0.0.0.0:*
> > users:(("krb5kdc",pid=217785,fd=17)) tcp?? LISTEN 0????? 10
> > ??? [::1]:464?????????? [::]:*
> > users:(("kdc[master]",pid=217782,fd=37)) 
> > 
> > 
> > I'm trying to set this explicitly in
> > file?/var/lib/samba/private/kdc.conf by this directive
> > "kpasswd_listen"
> > 
> > [kdcdefaults]
> > ?? kdc_listen = 0.0.0.0
> > ?? kdc_tcp_listen = 0.0.0.0
> > ?? kpasswd_listen = 127.0.0.1:464 192.168.95.111:464
> > ?? kdc_ports = 88
> > ?? kdc_tcp_ports = 88
> > 
> > but nothing changed
> > 
> > when I've changed kdc_listen I can see difference by "sudo ss
-
> > tulpn"
> > but no changes for kpasswd_listen
> > 
> > How is it possible to make it work?
> > 
> > Pavel
> > 
> 
> Sorry, but you appear to be asking in the wrong place, realmd and
> adcli
> are not produced by Samba
> 
> Samba uses 'net ads join' to join to an AD domain and non of my DCs
> have /var/lib/samba/private/kdc.conf, so could you be using the
> experimental MIT kerberos ?
Yes, you are right. 

I use samba packages from Fedora linux - so you advise is to ask in
Fedora lists?

release -- 2:4.19.6-1.fc39
samba.x86_64
samba-dc.x86_64
samba-dc-bind-dlz.x86_64
samba-dc-provision.noarch
...

> What OS are you using and how have you setup smb.conf
smb.conf on DC is quite simple

[global]
        bind interfaces only = Yes
        interfaces = lo enp1s0
        netbios name = DC11
        realm = OFFICE.COMPANY.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = OFFICE

        winbind enum groups = Yes
        winbind enum users = Yes
        idmap_ldb:use rfc2307 = yes

        winbind use default domain = yes
        winbind nss info = template
        winbind nss info = rfc2307

        template homedir = /home/%U
        template shell = /bin/bash


> 
> There is also the problem of the the link you provided being behind a
> registration wall that I cannot get through.
Sorry, relevant parts are error message and diagnostic steps (see
bellow Quotation:)
After their suggestion I wanted to enable listening on port 464, but it
is listening only on localhost IPv6 no matter what is in config file
/var/lib/samba/private/kdc.conf.

tests on my DC:
 $ sudo nmap -sT -sU -p 464 -6 ::1

PORT    STATE         SERVICE
464/tcp open          kpasswd5
464/udp open|filtered kpasswd5

$ sudo nmap -sT -sU -p 464 127.0.0.1

PORT    STATE  SERVICE
464/tcp closed kpasswd5
464/udp closed kpasswd5


Quotation:
   Issue When attempting to join a RHEL server to an Active Directory domain, we
receive an error that the password for the computer account could not
be set:
Raw [1]
# adcli join example.com -U Administrator at EXAMPLE.COM ... * Found computer
account for <HostName>$ at:
CN=<HostName>,OU=Servers,DC=example,DC=com ! Couldn't set password for
computer account: <HostName>$: Cannot contact any KDC for requested realm
adcli: joining domain example.com failed: Couldn't set password for computer
account: <HostName>$: Cannot contact any KDC for requested real
   Resolution The port required to make password changes on a KDC is closed. You
will
have to open UDP/TCP 464 (Kerberos Password Change requests) ports to
allow the adding of computer account.
You can read more about this in this Microsoft article: Conditions for
Kerberos to be used over an External Trust [2]
   Root Cause The port 464 udp/tcp are closed. This is not well documented, but
they
are required for password management. For more information refer to
Technologies for Federating Multiple Forests [3]

 Diagnostic Steps An nmap scan of both the tcp and udp ports will fail.
Raw [1]
# nmap -sT -sU -p 464 AD.EXAMPLE.COM ... PORT STATE SERVICE 464/tcp closed
kpasswd5 464/udp closed kpasswd5 ...
  

[1] Raw https://access.redhat.com/solutions/3697241#
[2] Conditions for Kerberos to be used over an External Trust
   
https://access.redhat.com/bounce/?externalURL=https%3A%2F%2Fblogs.technet.microsoft.com%2Factivedirectoryua%2F2010%2F08%2F04%2Fconditions-for-kerberos-to-be-used-over-an-external-trust%2F
[3] Technologies for Federating Multiple Forests
   
https://access.redhat.com/bounce/?externalURL=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2003%2Fdd560679%28v%3Dws.10%29