Hello Fabrice,
But just 1 thing... Would you then advice me to have the return route for
my domain pointing to 172.16.100.10?
Regards,
Kehinde
On Thu, Aug 24, 2017 at 8:55 AM, Akala Kehinde <[email protected]>
wrote:
> Hello Fabrice,
>
> I guess PF was configured by default for all services, protocols and
> routes via just 1 interface. I was actually routing my domain network
> through a second interface which of course needed a tweak in the
> iptables.conf file.
>
> Thanks a lot man. Will apply d fix and test again.
>
> See attached the files as requested.
>
> Regards,
> Kehinde
>
> On Thu, Aug 24, 2017 at 4:58 AM, Durand fabrice <[email protected]>
> wrote:
>
>> Ok your issue is there:
>>
>> -A POSTROUTING -s 169.254.0.0/16 -o eth0.100 -j SNAT --to-source
>> 172.16.100.10
>>
>> it should be:
>>
>> -A POSTROUTING -s 169.254.0.0/16 -o eth1 -j SNAT --to-source 172.16.7.13
>>
>> a quick fix should be to add it in the conf/iptables.conf
>>
>> Also to understand what happen exactly i will need to have the pf.conf
>> and networks.conf.
>>
>>
>>
>> Le 2017-08-23 à 22:24, Akala Kehinde a écrit :
>>
>> Hi Fab,
>>
>> See attached.
>>
>> Regards,
>> Kehinde
>>
>> On Thu, Aug 24, 2017 at 4:13 AM, Durand fabrice <[email protected]>
>> wrote:
>>
>>> var/conf/iptables.conf not conf/iptables.conf
>>>
>>> Le 2017-08-23 à 22:12, Akala Kehinde a écrit :
>>>
>>> Hi Fabrice,
>>>
>>> Pls see attached..
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Thu, Aug 24, 2017 at 1:33 AM, Durand fabrice <[email protected]>
>>> wrote:
>>>
>>>> no it's perfect, MYDOMAIN-b is the link to the namespace.
>>>>
>>>> So the issue is probably iptables, can you paste the content of
>>>> var/conf/iptables.conf ?
>>>>
>>>>
>>>>
>>>> Le 2017-08-23 à 17:20, Akala Kehinde a écrit :
>>>>
>>>> It appears MYDOMAIN-b binds on the wrong interface?
>>>>
>>>> Regards,
>>>> Kehinde
>>>>
>>>> On Wed, Aug 23, 2017 at 11:17 PM, Akala Kehinde <[email protected]
>>>> > wrote:
>>>>
>>>>> Hi Fabrice,
>>>>>
>>>>> See below:
>>>>>
>>>>> [root@pfence sysctl.d]# ip route
>>>>> default via 172.16.7.1 dev eth1
>>>>> 169.254.0.0/30 dev MYDOMAIN-b proto kernel scope link src
>>>>> 169.254.0.2
>>>>> 169.254.0.0/16 dev eth0 scope link metric 1002
>>>>> 169.254.0.0/16 dev eth1 scope link metric 1003
>>>>> 169.254.0.0/16 dev eth0.100 scope link metric 1004
>>>>> 169.254.0.0/16 dev eth0.101 scope link metric 1005
>>>>> 169.254.0.0/16 dev eth0.4 scope link metric 1006
>>>>> 169.254.0.0/16 dev eth0.5 scope link metric 1007
>>>>> 169.254.0.0/16 dev eth0.6 scope link metric 1008
>>>>> 169.254.0.0/16 dev eth0.98 scope link metric 1009
>>>>> 169.254.0.0/16 dev eth0.99 scope link metric 1010
>>>>> 172.16.4.0/24 dev eth0.4 proto kernel scope link src 172.16.4.2
>>>>> 172.16.7.0/24 dev eth1 proto kernel scope link src 172.16.7.13
>>>>> 172.16.98.0/24 dev eth0.98 proto kernel scope link src 172.16.98.1
>>>>> 172.16.99.0/24 dev eth0.99 proto kernel scope link src 172.16.99.1
>>>>> 172.16.100.0/24 dev eth0.100 proto kernel scope link src
>>>>> 172.16.100.10
>>>>> 172.16.101.0/24 dev eth0.101 proto kernel scope link src
>>>>> 172.16.101.1
>>>>> [root@pfence sysctl.d]#
>>>>>
>>>>> [root@pfence sysctl.d]# ip route get 172.16.7.10
>>>>> 172.16.7.10 dev eth1 src 172.16.7.13
>>>>> cache
>>>>> [root@pfence sysctl.d]#
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Kehinde
>>>>>
>>>>> On Wed, Aug 23, 2017 at 9:47 PM, Fabrice Durand <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Ok so your issue is related to the route of the system.
>>>>>>
>>>>>> do:
>>>>>>
>>>>>> ip route
>>>>>>
>>>>>> and:
>>>>>>
>>>>>> ip route get 172.16.7.10
>>>>>>
>>>>>> restart iptables
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le 2017-08-23 à 15:44, Akala Kehinde a écrit :
>>>>>>
>>>>>> Hi Fabrice,
>>>>>>
>>>>>> See below:
>>>>>>
>>>>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
>>>>>> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.
>>>>>>
>>>>>> --- 172.16.7.10 ping statistics ---
>>>>>> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms
>>>>>>
>>>>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de
>>>>>> ;; connection timed out; trying next origin
>>>>>> ;; connection timed out; no servers could be reached
>>>>>>
>>>>>> [root@pfence sysctl.d]#
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Kehinde
>>>>>>
>>>>>> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users
>>>>>> <[email protected]> wrote:
>>>>>>
>>>>>>>
>>>>>>> Let's try that:
>>>>>>>
>>>>>>> ip netns exec MYDOMAIN ping 172.16.7.10
>>>>>>>
>>>>>>> ip netns exec MYDOMAIN nslookup www.google.de
>>>>>>>
>>>>>>> What is the result ?
>>>>>>>
>>>>>>> Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
>>>>>>>
>>>>>>> Hello Fabrice,
>>>>>>>
>>>>>>> Was thinkig, could it be a problem with the winbindd itself.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Kehinde
>>>>>>>
>>>>>>> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hallo Fabrice,
>>>>>>>>
>>>>>>>> [root@pfence sysctl.d]# cat 99-ip_forward.conf
>>>>>>>> # ip forwarding enabled by packetfence
>>>>>>>> net.ipv4.ip_forward = 1
>>>>>>>>
>>>>>>>> Checked timing already on both servers, it"s d same.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Kehinde
>>>>>>>>
>>>>>>>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via
>>>>>>>> PacketFence-users <[email protected]> wrote:
>>>>>>>>
>>>>>>>>> Hello Akala,
>>>>>>>>>
>>>>>>>>> does ip_forward is enable ?
>>>>>>>>>
>>>>>>>>> does the time of the packetfence server is the same as the AD
>>>>>>>>> server ?
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Fabrice
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>>>>>>>>
>>>>>>>>> Hello Fabrice,
>>>>>>>>>
>>>>>>>>> Kindly see below:
>>>>>>>>>
>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>> Error looking up domain users
>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> Error looking up domain groups
>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>> checking the trust secret for domain (null) via RPC calls failed
>>>>>>>>> failed to call wbcCheckTrustCredentials:
>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> Could not check secret
>>>>>>>>> [root@pfence pf]#
>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>> checking the NETLOGON for domain[] dc connection to "" failed
>>>>>>>>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>>>>>>>>> Ping to winbindd failed
>>>>>>>>> could not ping winbindd!
>>>>>>>>> [root@pfence pf]#
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Tested with TESTMAWOH.DE but still cannot join..
>>>>>>>>> It's driving me nuts:)
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Kehinde
>>>>>>>>>
>>>>>>>>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via
>>>>>>>>> PacketFence-users <[email protected]> wrote:
>>>>>>>>>
>>>>>>>>>> Hello Akala,
>>>>>>>>>>
>>>>>>>>>> what happen if you do that:
>>>>>>>>>>
>>>>>>>>>> chroot /chroots/MYDOMAIN
>>>>>>>>>>
>>>>>>>>>> wbinfo -u
>>>>>>>>>>
>>>>>>>>>> wbinfo -g
>>>>>>>>>>
>>>>>>>>>> if there is no usernames or groups displayed then try :
>>>>>>>>>>
>>>>>>>>>> dns_name=TESTMAWOH.DE
>>>>>>>>>> and rejoin
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Fabrice
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a
>>>>>>>>>> écrit :
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello guys,
>>>>>>>>>>
>>>>>>>>>> I get this error when trying to join PF to an Active Directory
>>>>>>>>>> Server:
>>>>>>>>>>
>>>>>>>>>> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb
>>>>>>>>>> aMYDOMAIN/log.winbindd
>>>>>>>>>> [2017/08/23 02:20:34.196193, 0] ../source3/winbindd/winbindd_u
>>>>>>>>>> til.c:869(init_domain_list)
>>>>>>>>>> Could not fetch our SID - did we join?
>>>>>>>>>> [2017/08/23 02:20:34.196275, 0] ../source3/winbindd/winbindd.c
>>>>>>>>>> :1408(winbindd_register_handlers)
>>>>>>>>>> unable to initialize domain list
>>>>>>>>>> [2017/08/23 02:20:34.324267, 0] ../source3/winbindd/winbindd_c
>>>>>>>>>> ache.c:3245(initialize_winbindd_cache)
>>>>>>>>>> initialize_winbindd_cache: clearing cache and re-creating with
>>>>>>>>>> version number 2
>>>>>>>>>> [2017/08/23 02:20:34.333731, 0] ../source3/winbindd/winbindd_u
>>>>>>>>>> til.c:869(init_domain_list)
>>>>>>>>>> Could not fetch our SID - did we join?
>>>>>>>>>>
>>>>>>>>>> [root@pfence pf]#
>>>>>>>>>>
>>>>>>>>>> Below is my domain.conf file:
>>>>>>>>>>
>>>>>>>>>> [MYDOMAIN]
>>>>>>>>>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u
>>>>>>>>>> serAccountControl:1.2.840.113556.1.4.803:=2))))
>>>>>>>>>> ntlm_cache=disabled
>>>>>>>>>> registration=0
>>>>>>>>>> ntlm_cache_expiry=3600
>>>>>>>>>> dns_name=egelsbach.testmawoh.de
>>>>>>>>>> dns_servers=172.16.7.10
>>>>>>>>>> ou=Computers
>>>>>>>>>> ntlm_cache_on_connection=disabled
>>>>>>>>>> workgroup=TESTMAWOH
>>>>>>>>>> ntlm_cache_batch_one_at_a_time=disabled
>>>>>>>>>> sticky_dc=*
>>>>>>>>>> ad_server=winserver.egelsbach.testmawoh.de
>>>>>>>>>> ntlm_cache_batch=disabled
>>>>>>>>>> server_name=pfence
>>>>>>>>>> bind_pass=
>>>>>>>>>> bind_dn=
>>>>>>>>>>
>>>>>>>>>> [root@pfence pf]# ps -efd | grep winbindd
>>>>>>>>>> root 20052 1 7 04:15 ? 00:00:14 winbindd-wrapper
>>>>>>>>>> root 21912 20052 1 04:18 ? 00:00:00 sudo chroot
>>>>>>>>>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>>>>>>>>>> /var/log/sambaMYDOMAIN --foreground
>>>>>>>>>> root 21913 21912 0 04:18 ? 00:00:00
>>>>>>>>>> /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>>>>>>>>>> /var/log/sambaMYDOMAIN
>>>>>>>>>> --foreground
>>>>>>>>>> root 21915 4173 0 04:18 ttyS0 00:00:00 grep --color=auto
>>>>>>>>>> winbindd
>>>>>>>>>>
>>>>>>>>>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
>>>>>>>>>> service|shouldBeStarted|pid
>>>>>>>>>> winbindd|1|20052
>>>>>>>>>> [root@pfence pf]#
>>>>>>>>>>
>>>>>>>>>> There is reachability between PF, the AD and DNS servers and all
>>>>>>>>>> can resolve DNS queries.
>>>>>>>>>>
>>>>>>>>>> I have tried everything but just refuses to bind..Whatelse could
>>>>>>>>>> be wrong pls?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Kehinde
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> PacketFence-users mailing
>>>>>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>> ------------------
>>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>>> _______________________________________________
>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>> [email protected]
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fabrice [email protected] :: +1.514.447.4918
>>>>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca
>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------
>>>>>>>>> ------------------
>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>> _______________________________________________
>>>>>>>>> PacketFence-users mailing list
>>>>>>>>> [email protected]
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fabrice [email protected] :: +1.514.447.4918
>>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca
>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fabrice [email protected] :: +1.514.447.4918
>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca
>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>>> (http://packetfence.org)
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
