-
タイトル
Failing to join: "unable to reach any KDC in realm" -
説明
When attempting to join a Quest Authentication Services (QAS/VAS) client to Active Directory (AD), the following error message is shown in the debug output:
Caused by: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm
Trying to connect on port 389 from the Domain Controller (DC), IPv6 information returns:
# telnet<dc></dc>389
Trying 2001:4920:4:1:216:3eff:fe6e:8455...
telnet: connect to address 3001:9402:5:2:316:4eff:ee2e:8455: Connection refused
Trying 192.168.38.50...
Connected to yourdomain.com (192.168.1.1).
Escape character is ^]. -
原因
IPv6 has been enabled on the DC by running the following command:
C:\> netsh interface ipv6 install
If IPv4 and IPv6 are both installed on the Domain Controllers, both forms of the addresses will be returned during a DNS query prior to the LDAP connection attempt. IPv6 prevents a Linux box from joining the domain if the AD servers *and* the Linux box are both running IPv6. -
対策
If IPv6 is required in the environment a workaround is to disable IPv6 on the Linux box via editing the modprobe.conf file, join the domain, then re-enable IPv6.
Or else disable IPv6 for the DC. On Redhat, IPv6 is enabled by default. You can disable IPv6 on RHEL by adding the following lines to the /etc/modprobe.conf file:
alias net-pf-10 off
alias ipv6 off -
追加情報
QAS 4.1 release now supports IPV6 for more information please refer to Knowledge Article 70167