I recently made a fresh install of FreeIPA (VERSION: 4.6.90.pre1+git20180411, API_VERSION: 2.229) on Ubuntu 18.04 LTS. Admin credentials work fine, I can log in to the web app just fine, creating users and authentication from client webapps works. Authenticating from client machines mostly works, but fails when updating their password (including after initial login when password update is requested). The server's domain name is hardcoded correctly in /etc/hosts for each machine (haven't set up DNS yet) and firewall is disabled.
I've tried kinit on the server itself with similar behavior. Authentication works but password change fails:
kinit: Cannot contact any KDC for requested realm while getting initial credentials
kpasswd has the same issue. I traced the command and got this immediately before the failure:
[4730] 1563905746.373700: Sending initial UDP request to dgram 10.66.28.219:464
[4730] 1563905746.373701: Initiating TCP connection to stream 10.66.28.219:464
[4730] 1563905746.373702: Terminating TCP connection to stream 10.66.28.219:464
Port 464 doesn't seem to be responding to anything and isn't being picked up by nmap. 88 is the only Kerberos port nmap finds.
I'm mostly a newb to kerberos. Does it make sense that the password change service wouldn't be running while the authentication service is? My understanding was that kadmind handles both, and it does seem to be running. I've tried playing with the config. I've tried leaving kpasswd settings to default, or setting kpasswd_port to 464 explicitly in kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
[realms]
...
kpasswd_port = 464
...
Any ideas on what the cause might be or what I should try next? I've run out of ideas.
