Hello Fabrice,
It worked!
Thanks a million:)
Want to know if the change affects anything else. And asked earlier what
your advice would be, if its a good idea to have the AD in same network as
the PF Mgmtn. interface.
Regards,
Kehinde
On Thu, Aug 24, 2017 at 8:58 AM, Akala Kehinde <[email protected]>
wrote:
> Hello Fabrice,
>
> But just 1 thing... Would you then advice me to have the return route for
> my domain pointing to 172.16.100.10?
>
> Regards,
> Kehinde
>
> On Thu, Aug 24, 2017 at 8:55 AM, Akala Kehinde <[email protected]>
> wrote:
>
>> Hello Fabrice,
>>
>> I guess PF was configured by default for all services, protocols and
>> routes via just 1 interface. I was actually routing my domain network
>> through a second interface which of course needed a tweak in the
>> iptables.conf file.
>>
>> Thanks a lot man. Will apply d fix and test again.
>>
>> See attached the files as requested.
>>
>> Regards,
>> Kehinde
>>
>> On Thu, Aug 24, 2017 at 4:58 AM, Durand fabrice <[email protected]>
>> wrote:
>>
>>> Ok your issue is there:
>>>
>>> -A POSTROUTING -s 169.254.0.0/16 -o eth0.100 -j SNAT --to-source
>>> 172.16.100.10
>>>
>>> it should be:
>>>
>>> -A POSTROUTING -s 169.254.0.0/16 -o eth1 -j SNAT --to-source 172.16.7.13
>>>
>>> a quick fix should be to add it in the conf/iptables.conf
>>>
>>> Also to understand what happen exactly i will need to have the pf.conf
>>> and networks.conf.
>>>
>>>
>>>
>>> Le 2017-08-23 à 22:24, Akala Kehinde a écrit :
>>>
>>> Hi Fab,
>>>
>>> See attached.
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Thu, Aug 24, 2017 at 4:13 AM, Durand fabrice <[email protected]>
>>> wrote:
>>>
>>>> var/conf/iptables.conf not conf/iptables.conf
>>>>
>>>> Le 2017-08-23 à 22:12, Akala Kehinde a écrit :
>>>>
>>>> Hi Fabrice,
>>>>
>>>> Pls see attached..
>>>>
>>>> Regards,
>>>> Kehinde
>>>>
>>>> On Thu, Aug 24, 2017 at 1:33 AM, Durand fabrice <[email protected]>
>>>> wrote:
>>>>
>>>>> no it's perfect, MYDOMAIN-b is the link to the namespace.
>>>>>
>>>>> So the issue is probably iptables, can you paste the content of
>>>>> var/conf/iptables.conf ?
>>>>>
>>>>>
>>>>>
>>>>> Le 2017-08-23 à 17:20, Akala Kehinde a écrit :
>>>>>
>>>>> It appears MYDOMAIN-b binds on the wrong interface?
>>>>>
>>>>> Regards,
>>>>> Kehinde
>>>>>
>>>>> On Wed, Aug 23, 2017 at 11:17 PM, Akala Kehinde <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hi Fabrice,
>>>>>>
>>>>>> See below:
>>>>>>
>>>>>> [root@pfence sysctl.d]# ip route
>>>>>> default via 172.16.7.1 dev eth1
>>>>>> 169.254.0.0/30 dev MYDOMAIN-b proto kernel scope link src
>>>>>> 169.254.0.2
>>>>>> 169.254.0.0/16 dev eth0 scope link metric 1002
>>>>>> 169.254.0.0/16 dev eth1 scope link metric 1003
>>>>>> 169.254.0.0/16 dev eth0.100 scope link metric 1004
>>>>>> 169.254.0.0/16 dev eth0.101 scope link metric 1005
>>>>>> 169.254.0.0/16 dev eth0.4 scope link metric 1006
>>>>>> 169.254.0.0/16 dev eth0.5 scope link metric 1007
>>>>>> 169.254.0.0/16 dev eth0.6 scope link metric 1008
>>>>>> 169.254.0.0/16 dev eth0.98 scope link metric 1009
>>>>>> 169.254.0.0/16 dev eth0.99 scope link metric 1010
>>>>>> 172.16.4.0/24 dev eth0.4 proto kernel scope link src 172.16.4.2
>>>>>> 172.16.7.0/24 dev eth1 proto kernel scope link src 172.16.7.13
>>>>>> 172.16.98.0/24 dev eth0.98 proto kernel scope link src 172.16.98.1
>>>>>> 172.16.99.0/24 dev eth0.99 proto kernel scope link src 172.16.99.1
>>>>>> 172.16.100.0/24 dev eth0.100 proto kernel scope link src
>>>>>> 172.16.100.10
>>>>>> 172.16.101.0/24 dev eth0.101 proto kernel scope link src
>>>>>> 172.16.101.1
>>>>>> [root@pfence sysctl.d]#
>>>>>>
>>>>>> [root@pfence sysctl.d]# ip route get 172.16.7.10
>>>>>> 172.16.7.10 dev eth1 src 172.16.7.13
>>>>>> cache
>>>>>> [root@pfence sysctl.d]#
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Kehinde
>>>>>>
>>>>>> On Wed, Aug 23, 2017 at 9:47 PM, Fabrice Durand <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Ok so your issue is related to the route of the system.
>>>>>>>
>>>>>>> do:
>>>>>>>
>>>>>>> ip route
>>>>>>>
>>>>>>> and:
>>>>>>>
>>>>>>> ip route get 172.16.7.10
>>>>>>>
>>>>>>> restart iptables
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 2017-08-23 à 15:44, Akala Kehinde a écrit :
>>>>>>>
>>>>>>> Hi Fabrice,
>>>>>>>
>>>>>>> See below:
>>>>>>>
>>>>>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
>>>>>>> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.
>>>>>>>
>>>>>>> --- 172.16.7.10 ping statistics ---
>>>>>>> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms
>>>>>>>
>>>>>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup
>>>>>>> www.google.de
>>>>>>> ;; connection timed out; trying next origin
>>>>>>> ;; connection timed out; no servers could be reached
>>>>>>>
>>>>>>> [root@pfence sysctl.d]#
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Kehinde
>>>>>>>
>>>>>>> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via
>>>>>>> PacketFence-users <[email protected]> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Let's try that:
>>>>>>>>
>>>>>>>> ip netns exec MYDOMAIN ping 172.16.7.10
>>>>>>>>
>>>>>>>> ip netns exec MYDOMAIN nslookup www.google.de
>>>>>>>>
>>>>>>>> What is the result ?
>>>>>>>>
>>>>>>>> Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
>>>>>>>>
>>>>>>>> Hello Fabrice,
>>>>>>>>
>>>>>>>> Was thinkig, could it be a problem with the winbindd itself.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Kehinde
>>>>>>>>
>>>>>>>> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> Hallo Fabrice,
>>>>>>>>>
>>>>>>>>> [root@pfence sysctl.d]# cat 99-ip_forward.conf
>>>>>>>>> # ip forwarding enabled by packetfence
>>>>>>>>> net.ipv4.ip_forward = 1
>>>>>>>>>
>>>>>>>>> Checked timing already on both servers, it"s d same.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Kehinde
>>>>>>>>>
>>>>>>>>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via
>>>>>>>>> PacketFence-users <[email protected]> wrote:
>>>>>>>>>
>>>>>>>>>> Hello Akala,
>>>>>>>>>>
>>>>>>>>>> does ip_forward is enable ?
>>>>>>>>>>
>>>>>>>>>> does the time of the packetfence server is the same as the AD
>>>>>>>>>> server ?
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Fabrice
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>>>>>>>>>
>>>>>>>>>> Hello Fabrice,
>>>>>>>>>>
>>>>>>>>>> Kindly see below:
>>>>>>>>>>
>>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>>> Error looking up domain users
>>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> Error looking up domain groups
>>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>>> checking the trust secret for domain (null) via RPC calls failed
>>>>>>>>>> failed to call wbcCheckTrustCredentials:
>>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> Could not check secret
>>>>>>>>>> [root@pfence pf]#
>>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>>>>>>>>>> could not obtain winbind interface details:
>>>>>>>>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> could not obtain winbind domain name!
>>>>>>>>>> checking the NETLOGON for domain[] dc connection to "" failed
>>>>>>>>>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>>>>>>>>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>>>>>>>>>> Ping to winbindd failed
>>>>>>>>>> could not ping winbindd!
>>>>>>>>>> [root@pfence pf]#
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Tested with TESTMAWOH.DE but still cannot join..
>>>>>>>>>> It's driving me nuts:)
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Kehinde
>>>>>>>>>>
>>>>>>>>>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via
>>>>>>>>>> PacketFence-users <[email protected]>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello Akala,
>>>>>>>>>>>
>>>>>>>>>>> what happen if you do that:
>>>>>>>>>>>
>>>>>>>>>>> chroot /chroots/MYDOMAIN
>>>>>>>>>>>
>>>>>>>>>>> wbinfo -u
>>>>>>>>>>>
>>>>>>>>>>> wbinfo -g
>>>>>>>>>>>
>>>>>>>>>>> if there is no usernames or groups displayed then try :
>>>>>>>>>>>
>>>>>>>>>>> dns_name=TESTMAWOH.DE
>>>>>>>>>>> and rejoin
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>> Fabrice
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a
>>>>>>>>>>> écrit :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello guys,
>>>>>>>>>>>
>>>>>>>>>>> I get this error when trying to join PF to an Active Directory
>>>>>>>>>>> Server:
>>>>>>>>>>>
>>>>>>>>>>> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb
>>>>>>>>>>> aMYDOMAIN/log.winbindd
>>>>>>>>>>> [2017/08/23 02:20:34.196193, 0] ../source3/winbindd/winbindd_u
>>>>>>>>>>> til.c:869(init_domain_list)
>>>>>>>>>>> Could not fetch our SID - did we join?
>>>>>>>>>>> [2017/08/23 02:20:34.196275, 0] ../source3/winbindd/winbindd.c
>>>>>>>>>>> :1408(winbindd_register_handlers)
>>>>>>>>>>> unable to initialize domain list
>>>>>>>>>>> [2017/08/23 02:20:34.324267, 0] ../source3/winbindd/winbindd_c
>>>>>>>>>>> ache.c:3245(initialize_winbindd_cache)
>>>>>>>>>>> initialize_winbindd_cache: clearing cache and re-creating with
>>>>>>>>>>> version number 2
>>>>>>>>>>> [2017/08/23 02:20:34.333731, 0] ../source3/winbindd/winbindd_u
>>>>>>>>>>> til.c:869(init_domain_list)
>>>>>>>>>>> Could not fetch our SID - did we join?
>>>>>>>>>>>
>>>>>>>>>>> [root@pfence pf]#
>>>>>>>>>>>
>>>>>>>>>>> Below is my domain.conf file:
>>>>>>>>>>>
>>>>>>>>>>> [MYDOMAIN]
>>>>>>>>>>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u
>>>>>>>>>>> serAccountControl:1.2.840.113556.1.4.803:=2))))
>>>>>>>>>>> ntlm_cache=disabled
>>>>>>>>>>> registration=0
>>>>>>>>>>> ntlm_cache_expiry=3600
>>>>>>>>>>> dns_name=egelsbach.testmawoh.de
>>>>>>>>>>> dns_servers=172.16.7.10
>>>>>>>>>>> ou=Computers
>>>>>>>>>>> ntlm_cache_on_connection=disabled
>>>>>>>>>>> workgroup=TESTMAWOH
>>>>>>>>>>> ntlm_cache_batch_one_at_a_time=disabled
>>>>>>>>>>> sticky_dc=*
>>>>>>>>>>> ad_server=winserver.egelsbach.testmawoh.de
>>>>>>>>>>> ntlm_cache_batch=disabled
>>>>>>>>>>> server_name=pfence
>>>>>>>>>>> bind_pass=
>>>>>>>>>>> bind_dn=
>>>>>>>>>>>
>>>>>>>>>>> [root@pfence pf]# ps -efd | grep winbindd
>>>>>>>>>>> root 20052 1 7 04:15 ? 00:00:14 winbindd-wrapper
>>>>>>>>>>> root 21912 20052 1 04:18 ? 00:00:00 sudo chroot
>>>>>>>>>>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>>>>>>>>>>> /var/log/sambaMYDOMAIN --foreground
>>>>>>>>>>> root 21913 21912 0 04:18 ? 00:00:00
>>>>>>>>>>> /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>>>>>>>>>>> /var/log/sambaMYDOMAIN
>>>>>>>>>>> --foreground
>>>>>>>>>>> root 21915 4173 0 04:18 ttyS0 00:00:00 grep
>>>>>>>>>>> --color=auto winbindd
>>>>>>>>>>>
>>>>>>>>>>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd
>>>>>>>>>>> status
>>>>>>>>>>> service|shouldBeStarted|pid
>>>>>>>>>>> winbindd|1|20052
>>>>>>>>>>> [root@pfence pf]#
>>>>>>>>>>>
>>>>>>>>>>> There is reachability between PF, the AD and DNS servers and all
>>>>>>>>>>> can resolve DNS queries.
>>>>>>>>>>>
>>>>>>>>>>> I have tried everything but just refuses to bind..Whatelse could
>>>>>>>>>>> be wrong pls?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Kehinde
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> PacketFence-users mailing
>>>>>>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>>> ------------------
>>>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>>> [email protected]
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fabrice [email protected] :: +1.514.447.4918
>>>>>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca
>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>> ------------------
>>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>>> _______________________________________________
>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>> [email protected]
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fabrice [email protected] :: +1.514.447.4918
>>>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca
>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------------
>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>> _______________________________________________
>>>>>>>> PacketFence-users mailing list
>>>>>>>> [email protected]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fabrice [email protected] :: +1.514.447.4918
>>>>>>> <%28514%29%20447-4918> (x135) :: www.inverse.ca
>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
