DC connection reset

Roger Roger 6,691 Reputation points
2025-01-04T06:58:13.8166667+00:00

Hi All,

One of my Linux VMs is using the kinit command to connect to one of my Domain Controllers. The kinit command, I believe, sends Kerberos requests to the Domain Controller on port 88. Currently, port 88 is allowed between the Linux VM and the Domain Controller. However, the application hosted on the Linux VM is unable to send requests, and the logs show the following error:

Receiving response from the KDC host: kdc host=dc01.contoso.com (192.168.1.30), port=88, protocol=tcp. Error Details: Connection reset by peer (0x00000068, 104).

Apart from port 88, are there any other ports that need to be allowed for kinit to function correctly?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,884 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,564 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,603 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,819 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
560 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Hebert Seven 226 Reputation points
    2025-01-11T17:11:00.66+00:00

    The error message you are encountering suggests a communication issue between your Linux VM and the Domain Controller (DC) when attempting to use the kinit command for Kerberos authentication. While Kerberos primarily operates on port 88, additional ports may also be required for the overall functionality of Kerberos in Active Directory environments, especially in scenarios involving certain configurations or authentication mechanisms. Here's a detailed breakdown:

    Ports Required for Kerberos and Related Services:

    TCP/UDP 88: This is the primary port for Kerberos Key Distribution Center (KDC) communication. This includes initial authentication requests and ticket-granting operations.

    TCP/UDP 464 (Optional): This port is used for Kerberos password changes and is required if the kinit operation involves changing or setting passwords for accounts.

    Dynamic RPC Ports (TCP 49152–65535 by default): If your environment uses Kerberos in conjunction with certain Active Directory RPC services or if there is fallback to other authentication methods, dynamic ports may need to be open. These are often required for proper communication with the DC.

    TCP 445: While not directly related to kinit, port 445 is necessary if the Linux VM uses Kerberos to access resources via SMB (e.g., file shares on the DC).

    DNS Ports (TCP/UDP 53): Proper DNS resolution is critical for Kerberos to work. Ensure DNS traffic is not being blocked between the Linux VM and the Domain Controller.

    UDP 123: Time synchronization is critical for Kerberos to function because tickets have strict expiration and validity windows. The Network Time Protocol (NTP) ensures the time on the Linux VM and the DC are synchronized.

    Troubleshooting Steps:

    Verify Port 88 Connectivity: Confirm that TCP port 88 is open and reachable between the Linux VM and the Domain Controller using a tool like telnet or nc:

    telnet dc01.contoso.com 88
    

    or

    nc -zv dc01.contoso.com 88
    

    Check Firewall Rules: Ensure your firewall rules allow not only TCP/UDP port 88 but also TCP/UDP 464 if password changes are involved.

    Inspect DNS Configuration: Make sure the Linux VM can resolve the FQDN (dc01.contoso.com) to the correct IP address. Use the following commands to test:

    nslookup dc01.contoso.com
    

    or

    dig dc01.contoso.com
    

    Check Time Synchronization: Verify that the system time on the Linux VM is synchronized with the Domain Controller:

    timedatectl
    

    Correct any discrepancies using NTP:

    sudo ntpdate <ntp-server>
    

    Inspect Domain Controller Logs: Review the security and system logs on the Domain Controller (dc01) for any errors or warnings related to Kerberos authentication or network communication.

    Enable Debugging in kinit: Run the kinit command with debugging enabled to gather more detailed output:

    kinit -V <principal>
    

    Final Notes:

    The specific error "Connection reset by peer" usually points to a network-level issue, such as:

    • An intermediate firewall or security device blocking or resetting the connection.
    • Misconfigured Kerberos or DNS settings causing the DC to reject the request.
    • An issue with the KDC service on the Domain Controller itself.

    Make sure all the necessary ports are open and that DNS and time synchronization are properly configured. If issues persist, you may need to review packet captures (using tcpdump or Wireshark) to identify where the connection is being reset.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.