# Samba 4 ADDC fails to contact KDC [Solved]

## eeuhln

Hello,

I have been configuring Samba 4.2.11 as an active directory domain controller for clients running gentoo as well as windows 8.1 and 10. I am using a BIND_DLZ backend and heimdal krb5. The exact error and command is shown below.

```
# kinit Administrator

Administrator@DOMAIN.LAN's Password: 

kinit: krb5_get_init_creds: unable to reach any KDC in realm DOMAIN.LAN
```

I have also tried specifying the realm manually.

```
# kinit Administrator@DOMAIN.LAN

Administrator@DOMAIN.LAN's Password: 

kinit: krb5_get_init_creds: unable to reach any KDC in realm DOMAIN.LAN
```

My hostnames appear to resolve properly as shown below:

```
# host -t SRV _kerberos._udp.domain.lan

_kerberos._udp.domain.lan has SRV record 0 100 88 samba.domain.lan.
```

My krb5.conf:

```
[logging]

   default = FILE:/var/log/krb5/libs.log

   kdc = FILE:/var/log/krb5/kdc.log

   admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]

        default_realm = MINDFUL.LAN

        dns_lookup_realm = false

        dns_lookup_kdc = true

[realms]

        kdc = samba.mindful.lan:88

        admin_server = samba.mindful.lan:749

        default_domain = mindful.lan

[domain_realm]

        .mindful.lan = MINDFUL.LAN

        .samba.mindful.lan = MINDFUL.LAN

[kdc]

        check-ticket-addresses = false
```

My smb.conf:

```
[global]

        workgroup = DOMAIN

        realm = DOMAIN.LAN

        netbios name = SAMBA

        server role = active directory domain controller

        server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, smb, -dns, -nbt

        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc

        smb ports = 445

        log file = /var/log/samba/log.samba

        log level = 3

[netlogon]

        path = /var/lib/samba/sysvol/domain.lan/scripts

        read only = No

[sysvol]

        path = /var/lib/samba/sysvol

        read only = No
```

Edit for clarity: my samba server's hostname is samba, and my domain does end in .lan

EDIT again: I have since confirmed that there are no reject or drop iptables rules on the machine running these services, and reverse lookups resolve correctly as shown below

```
# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT
```

```
# host 192.168.1.43

43.1.168.192.in-addr.arpa domain name pointer samba.domain.lan.
```

Last edited by eeuhln on Fri Dec 09, 2016 4:33 pm; edited 1 time in total

----------

## eeuhln

I have discovered that it definitely helps if you actually start kerberos.

```
# rc-update add heimdal-kdc default

# /etc/init.d/heimdal-kdc start
```

I am marking this solved.

----------

