Hello Fabrice, I guess PF was configured by default for all services, protocols and routes via just 1 interface. I was actually routing my domain network through a second interface which of course needed a tweak in the iptables.conf file.
Thanks a lot man. Will apply d fix and test again. See attached the files as requested. Regards, Kehinde On Thu, Aug 24, 2017 at 4:58 AM, Durand fabrice <[email protected]> wrote: > Ok your issue is there: > > -A POSTROUTING -s 169.254.0.0/16 -o eth0.100 -j SNAT --to-source > 172.16.100.10 > > it should be: > > -A POSTROUTING -s 169.254.0.0/16 -o eth1 -j SNAT --to-source 172.16.7.13 > > a quick fix should be to add it in the conf/iptables.conf > > Also to understand what happen exactly i will need to have the pf.conf and > networks.conf. > > > > Le 2017-08-23 à 22:24, Akala Kehinde a écrit : > > Hi Fab, > > See attached. > > Regards, > Kehinde > > On Thu, Aug 24, 2017 at 4:13 AM, Durand fabrice <[email protected]> > wrote: > >> var/conf/iptables.conf not conf/iptables.conf >> >> Le 2017-08-23 à 22:12, Akala Kehinde a écrit : >> >> Hi Fabrice, >> >> Pls see attached.. >> >> Regards, >> Kehinde >> >> On Thu, Aug 24, 2017 at 1:33 AM, Durand fabrice <[email protected]> >> wrote: >> >>> no it's perfect, MYDOMAIN-b is the link to the namespace. >>> >>> So the issue is probably iptables, can you paste the content of >>> var/conf/iptables.conf ? >>> >>> >>> >>> Le 2017-08-23 à 17:20, Akala Kehinde a écrit : >>> >>> It appears MYDOMAIN-b binds on the wrong interface? >>> >>> Regards, >>> Kehinde >>> >>> On Wed, Aug 23, 2017 at 11:17 PM, Akala Kehinde <[email protected]> >>> wrote: >>> >>>> Hi Fabrice, >>>> >>>> See below: >>>> >>>> [root@pfence sysctl.d]# ip route >>>> default via 172.16.7.1 dev eth1 >>>> 169.254.0.0/30 dev MYDOMAIN-b proto kernel scope link src >>>> 169.254.0.2 >>>> 169.254.0.0/16 dev eth0 scope link metric 1002 >>>> 169.254.0.0/16 dev eth1 scope link metric 1003 >>>> 169.254.0.0/16 dev eth0.100 scope link metric 1004 >>>> 169.254.0.0/16 dev eth0.101 scope link metric 1005 >>>> 169.254.0.0/16 dev eth0.4 scope link metric 1006 >>>> 169.254.0.0/16 dev eth0.5 scope link metric 1007 >>>> 169.254.0.0/16 dev eth0.6 scope link metric 1008 >>>> 169.254.0.0/16 dev eth0.98 scope link metric 1009 >>>> 169.254.0.0/16 dev eth0.99 scope link metric 1010 >>>> 172.16.4.0/24 dev eth0.4 proto kernel scope link src 172.16.4.2 >>>> 172.16.7.0/24 dev eth1 proto kernel scope link src 172.16.7.13 >>>> 172.16.98.0/24 dev eth0.98 proto kernel scope link src 172.16.98.1 >>>> 172.16.99.0/24 dev eth0.99 proto kernel scope link src 172.16.99.1 >>>> 172.16.100.0/24 dev eth0.100 proto kernel scope link src >>>> 172.16.100.10 >>>> 172.16.101.0/24 dev eth0.101 proto kernel scope link src >>>> 172.16.101.1 >>>> [root@pfence sysctl.d]# >>>> >>>> [root@pfence sysctl.d]# ip route get 172.16.7.10 >>>> 172.16.7.10 dev eth1 src 172.16.7.13 >>>> cache >>>> [root@pfence sysctl.d]# >>>> >>>> >>>> >>>> Regards, >>>> Kehinde >>>> >>>> On Wed, Aug 23, 2017 at 9:47 PM, Fabrice Durand <[email protected]> >>>> wrote: >>>> >>>>> Ok so your issue is related to the route of the system. >>>>> >>>>> do: >>>>> >>>>> ip route >>>>> >>>>> and: >>>>> >>>>> ip route get 172.16.7.10 >>>>> >>>>> restart iptables >>>>> >>>>> >>>>> >>>>> Le 2017-08-23 à 15:44, Akala Kehinde a écrit : >>>>> >>>>> Hi Fabrice, >>>>> >>>>> See below: >>>>> >>>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10 >>>>> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data. >>>>> >>>>> --- 172.16.7.10 ping statistics --- >>>>> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms >>>>> >>>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de >>>>> ;; connection timed out; trying next origin >>>>> ;; connection timed out; no servers could be reached >>>>> >>>>> [root@pfence sysctl.d]# >>>>> >>>>> >>>>> Regards, >>>>> Kehinde >>>>> >>>>> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users >>>>> <[email protected]> wrote: >>>>> >>>>>> >>>>>> Let's try that: >>>>>> >>>>>> ip netns exec MYDOMAIN ping 172.16.7.10 >>>>>> >>>>>> ip netns exec MYDOMAIN nslookup www.google.de >>>>>> >>>>>> What is the result ? >>>>>> >>>>>> Le 2017-08-23 à 10:55, Akala Kehinde a écrit : >>>>>> >>>>>> Hello Fabrice, >>>>>> >>>>>> Was thinkig, could it be a problem with the winbindd itself. >>>>>> >>>>>> Regards, >>>>>> Kehinde >>>>>> >>>>>> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hallo Fabrice, >>>>>>> >>>>>>> [root@pfence sysctl.d]# cat 99-ip_forward.conf >>>>>>> # ip forwarding enabled by packetfence >>>>>>> net.ipv4.ip_forward = 1 >>>>>>> >>>>>>> Checked timing already on both servers, it"s d same. >>>>>>> >>>>>>> Regards, >>>>>>> Kehinde >>>>>>> >>>>>>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via >>>>>>> PacketFence-users <[email protected]> wrote: >>>>>>> >>>>>>>> Hello Akala, >>>>>>>> >>>>>>>> does ip_forward is enable ? >>>>>>>> >>>>>>>> does the time of the packetfence server is the same as the AD >>>>>>>> server ? >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit : >>>>>>>> >>>>>>>> Hello Fabrice, >>>>>>>> >>>>>>>> Kindly see below: >>>>>>>> >>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u >>>>>>>> could not obtain winbind interface details: >>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> could not obtain winbind domain name! >>>>>>>> Error looking up domain users >>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g >>>>>>>> could not obtain winbind interface details: >>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> could not obtain winbind domain name! >>>>>>>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> Error looking up domain groups >>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t >>>>>>>> could not obtain winbind interface details: >>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> could not obtain winbind domain name! >>>>>>>> checking the trust secret for domain (null) via RPC calls failed >>>>>>>> failed to call wbcCheckTrustCredentials: >>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> Could not check secret >>>>>>>> [root@pfence pf]# >>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P >>>>>>>> could not obtain winbind interface details: >>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> could not obtain winbind domain name! >>>>>>>> checking the NETLOGON for domain[] dc connection to "" failed >>>>>>>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE >>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p >>>>>>>> Ping to winbindd failed >>>>>>>> could not ping winbindd! >>>>>>>> [root@pfence pf]# >>>>>>>> >>>>>>>> >>>>>>>> Tested with TESTMAWOH.DE but still cannot join.. >>>>>>>> It's driving me nuts:) >>>>>>>> >>>>>>>> Regards, >>>>>>>> Kehinde >>>>>>>> >>>>>>>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via >>>>>>>> PacketFence-users <[email protected]> wrote: >>>>>>>> >>>>>>>>> Hello Akala, >>>>>>>>> >>>>>>>>> what happen if you do that: >>>>>>>>> >>>>>>>>> chroot /chroots/MYDOMAIN >>>>>>>>> >>>>>>>>> wbinfo -u >>>>>>>>> >>>>>>>>> wbinfo -g >>>>>>>>> >>>>>>>>> if there is no usernames or groups displayed then try : >>>>>>>>> >>>>>>>>> dns_name=TESTMAWOH.DE >>>>>>>>> and rejoin >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> >>>>>>>>> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a >>>>>>>>> écrit : >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello guys, >>>>>>>>> >>>>>>>>> I get this error when trying to join PF to an Active Directory >>>>>>>>> Server: >>>>>>>>> >>>>>>>>> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb >>>>>>>>> aMYDOMAIN/log.winbindd >>>>>>>>> [2017/08/23 02:20:34.196193, 0] ../source3/winbindd/winbindd_u >>>>>>>>> til.c:869(init_domain_list) >>>>>>>>> Could not fetch our SID - did we join? >>>>>>>>> [2017/08/23 02:20:34.196275, 0] ../source3/winbindd/winbindd.c >>>>>>>>> :1408(winbindd_register_handlers) >>>>>>>>> unable to initialize domain list >>>>>>>>> [2017/08/23 02:20:34.324267, 0] ../source3/winbindd/winbindd_c >>>>>>>>> ache.c:3245(initialize_winbindd_cache) >>>>>>>>> initialize_winbindd_cache: clearing cache and re-creating with >>>>>>>>> version number 2 >>>>>>>>> [2017/08/23 02:20:34.333731, 0] ../source3/winbindd/winbindd_u >>>>>>>>> til.c:869(init_domain_list) >>>>>>>>> Could not fetch our SID - did we join? >>>>>>>>> >>>>>>>>> [root@pfence pf]# >>>>>>>>> >>>>>>>>> Below is my domain.conf file: >>>>>>>>> >>>>>>>>> [MYDOMAIN] >>>>>>>>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u >>>>>>>>> serAccountControl:1.2.840.113556.1.4.803:=2)))) >>>>>>>>> ntlm_cache=disabled >>>>>>>>> registration=0 >>>>>>>>> ntlm_cache_expiry=3600 >>>>>>>>> dns_name=egelsbach.testmawoh.de >>>>>>>>> dns_servers=172.16.7.10 >>>>>>>>> ou=Computers >>>>>>>>> ntlm_cache_on_connection=disabled >>>>>>>>> workgroup=TESTMAWOH >>>>>>>>> ntlm_cache_batch_one_at_a_time=disabled >>>>>>>>> sticky_dc=* >>>>>>>>> ad_server=winserver.egelsbach.testmawoh.de >>>>>>>>> ntlm_cache_batch=disabled >>>>>>>>> server_name=pfence >>>>>>>>> bind_pass= >>>>>>>>> bind_dn= >>>>>>>>> >>>>>>>>> [root@pfence pf]# ps -efd | grep winbindd >>>>>>>>> root 20052 1 7 04:15 ? 00:00:14 winbindd-wrapper >>>>>>>>> root 21912 20052 1 04:18 ? 00:00:00 sudo chroot >>>>>>>>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l >>>>>>>>> /var/log/sambaMYDOMAIN --foreground >>>>>>>>> root 21913 21912 0 04:18 ? 00:00:00 /usr/sbin/winbindd >>>>>>>>> -s /etc/samba/MYDOMAIN.conf -l /var/log/sambaMYDOMAIN --foreground >>>>>>>>> root 21915 4173 0 04:18 ttyS0 00:00:00 grep --color=auto >>>>>>>>> winbindd >>>>>>>>> >>>>>>>>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status >>>>>>>>> service|shouldBeStarted|pid >>>>>>>>> winbindd|1|20052 >>>>>>>>> [root@pfence pf]# >>>>>>>>> >>>>>>>>> There is reachability between PF, the AD and DNS servers and all >>>>>>>>> can resolve DNS queries. >>>>>>>>> >>>>>>>>> I have tried everything but just refuses to bind..Whatelse could >>>>>>>>> be wrong pls? >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Kehinde >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing >>>>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------ >>>>>>>>> ------------------ >>>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> [email protected] >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fabrice [email protected] :: +1.514.447.4918 >>>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>>> ------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Fabrice [email protected] :: +1.514.447.4918 >>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> ------------------------------------------------------------ >>>>>> ------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Fabrice [email protected] :: +1.514.447.4918 >>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>> >>> >>> >> >> > >
networks.conf
Description: Binary data
pf.conf
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
