Samba ADS: Cannot contact any KDC for requested realm

Question

I followed this Setting up Samba as an Active Directory Domain Controller - wiki and all seems fine (kinit,klist,net ads user,net ads group work).

Adding users without password also works, but if I set any password, it fails:

net ads user add tester test1234

Error:

Could not add user tester. Error setting password Cannot contact any KDC for requested realm

I have read and tried the answers of several similar questions like:

Kerberos Login Failed: Cannot resolve network address for KDC in requested realm - Kerio and Open Directory

Samba4 & Active Directory Kerberos [Cannot contact any KDC for realm 'INTERNAL.CORP.COM' while getting initial credentials

winbindd: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Cannot contact any KDC for requested realm

... and more

I also reinstalled the OS several times. Over a clean installation, the only additional packages installed are: samba, krb5-user, libpam-krb5, winbind, libpam-winbind, ldb-tools, ntp, smbclient, smbldap-tools

Versions:

• Ubuntu Server 18.04 x64 (kernel 4.15.0-30-generic)
• samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.2

My config files:

/etc/samba/smb.conf

# Global parameters
[global]
    dns forwarder = 192.168.10.30
    netbios name = ADS3
    realm = AAA-AAA.NET
    server role = active directory domain controller
    workgroup = AAA-AAA
    idmap_ldb:use rfc2307 = yes

[netlogon]
    path = /var/lib/samba/sysvol/aaa-aaa.net/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No

/etc/krb5.conf

[libdefaults]
    default_realm = AAA-AAA.NET
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    AAA-AAA.NET = {
        kdc = ads3.aaa-aaa.net:88
        admin_server = ads3.aaa-aaa.net
    }

[domain_realm]
    .aaa-aaa.net = AAA-AAA.NET
    aaa-aaa.net = AAA-AAA.NET

/etc/hosts

127.0.0.1   localhost.localdomain   localhost
192.168.10.33 ads3.aaa-aaa.net ads3

/etc/resolv.conf

domain aaa-aaa.net
search aaa-aaa.net
nameserver 192.168.10.30

Note: systemd-resolved was disabled to prevent resolv.conf to be updated.

Output:

nmap localhost

PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown

net ads info

LDAP server: 192.168.10.33
LDAP server name: ads3.aaa-aaa.net
Realm: AAA-AAA.NET
Bind Path: dc=AAA-AAA,dc=NET
LDAP port: 389
Server time: Wed, 15 Aug 2018 14:35:33 JST
KDC server: 192.168.10.33
Server time offset: 0

dig -t srv _kerberos._udp.aaa-aaa.net

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -t srv _kerberos._udp.aaa-aaa.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34079
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_kerberos._udp.aaa-aaa.net.    IN  SRV

;; Query time: 0 msec
;; SERVER: 192.168.10.30#53(192.168.10.30)
;; WHEN: Wed Aug 15 14:37:09 JST 2018
;; MSG SIZE  rcvd: 44

Note: the DNS server (at 192.168.10.30) is running dnsmasqd and is working properly. ads3.aaa-aaa.net resolves to 192.168.10.33.

kadmin

Authenticating as principal administrator/admin@AAA-AAA.NET with password.
kadmin: Client 'administrator/admin@AAA-AAA.NET' not found in Kerberos database while initializing kadmin interface

I have also look into the kadmin error without success. I tried installing krb5-kdc and krb5-admin-server, but they interfere with the setup (unable to use kinit).

Any help appreciated.

Update 1

According to Michael in the only answer (until now) for the question Samba4 and Kerberos configuration on a dedicated server, there is no need to install krb5-kdc/krb5-admin-server separately, so that is not it.

We found that the DNS response in our setup was mistaken, samba_dnsupdate --verbose --all-names was reporting:

dns.resolver.NXDOMAIN: The DNS query name does not exist

so we added the next rules into dnsmasq.conf at our DNS server (192.168.10.30):

server=/aaa-aaa.net/192.168.10.33
srv-host=_ldap._tcp.aaa-aaa.net,ads3.aaa-aaa.net,389
srv-host=_kerberos._udp.aaa-aaa.net,ads3.aaa-aaa.net,88

We tested them from another computer, with:

host -t SRV _ldap._tcp.aaa-aaa.net.
host -t SRV _kerberos._udp.aaa-aaa.net.

And now the response is now fine. Example:

_kerberos._udp.aaa-aaa.net has SRV record 0 0 88 ads3.aaa-aaa.net.

Also samba_dnsupdate --verbose --all-names output seems correct.

Current status at this point:

kadmin (same as before)

kadmin: Client 'administrator/admin@AAA-AAA.NET' not found in Kerberos database while initializing kadmin interface

net ads user add tester test1234

Could not add user tester. Error setting password Operation not permitted

Update 2

We were able to set user passwords with other commands:

pdbedit -a -u tester (password input will prompt) samba-tool user setpassword --newpassword=test1234 tester

We were able to connect from Windows, so its solved for the moment. If anyone knows why kadmin fails and why net command is unable to set passwords, I will accept that answer.