Newly built standalone AD DC (test bed in preparation for replacing venerable NT4 installation). Fresh and fully updated 4.3.11 on 16.04LTS. Followed Samba wikis, simple enough.
Haven't messed with smb.conf, per warnings:
[global]
workgroup = REALM
realm = REALM.DOMAIN.TLD
netbios name = ADDC
server role = active directory domain controller
dns forwarder = 1.0.0.1
idmap_ldb:use rfc2307 = yes
I stayed with Samba's internal DNS backend and Kerberos implementation. I directly copied the krb5.conf produced during provisioning to /etc, as specified:
[libdefaults]
default_realm = REALM.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
Passing all "Setting up Samba as an Active Directory Domain Controller" wiki tests for "Verifying the File Server" and "Verifying DNS." By which I mean querying _ldap and _Kerberos SRV records as well as A record of ADDC is successful, and resolution works both ways:
$ host DC
DC.realm.domain.tld has address 10.10.10.100
$ host 10.10.10.100
100.10.10.10.in-addr.arpa domain name pointer DC.realm.domain.tld.
But "Verifying Kerberos" tests still fail:
$ kinit
kinit: Cannot contact any KDC for realm 'REALM.DOMAIN.TLD' while getting initial credentials
Obviously Kerberos is not reachable. $netstat shows no "krb" process listening on any port, including port 88. No firewall is running.
But for all the troubleshooting advice to verify that Kerberos is listening on port 88, I can find no direction about what to do if it isn't!
How do I get Samba's Kerberos running?
