Le 2018-06-15 à 10:22, Steven Pfister via PacketFence-users a écrit :
Got it... thanks! Should I leave the system iptables service stopped, or should I uninstall it?
uninstall it, the iptables rules are managed by packetfence.
The var/conf/iptables.conf file has lines:-A POSTROUTING -s 192.168.220.0/24 <http://192.168.220.0/24> -o eth0 -j SNAT --to 10.99.19.240 -A POSTROUTING -s 192.168.221.0/24 <http://192.168.221.0/24> -o eth0 -j SNAT --to 10.99.19.240
It's used when you enable passthrough
which don't seem right. 192.168.220.0/24 <http://192.168.220.0/24> and 192.168.221.0/24 <http://192.168.221.0/24> are on eth1 and eth2 respectively and don't really need to be NATed. That what I was trying to comment out. I don't know how from the template to comment these out but leave: -A POSTROUTING -s 169.254.0.0/16 <http://169.254.0.0/16> -o eth0 -j SNAT --to-source 10.99.19.240
This rule is mandatory to join the domain.
On Fri, Jun 15, 2018 at 10:12 AM, Fabrice Durand via PacketFence-users <[email protected] <mailto:[email protected]>> wrote:Hello Steven, var/conf/iptables.conf is a file generated from the template conf/iptables.conf If you want to restart iptables service you need to do the following (pfcmd service iptables restart) and not use the iptables service from the system. Regards Fabrice Le 2018-06-15 à 10:03, Steven Pfister via PacketFence-users a écrit :I just had something strange happen with iptables. I wanted to try a change in var/conf/iptables.conf, but "service iptables restart" wasn't available. So I did a "yum install iptables-services". Was that a mistake? The change I made to iptables.conf didn't work, so I changed it back. Now, with iptables started, I can't get to the web interface until I stop iptables. On Fri, Jun 15, 2018 at 9:45 AM, Fabrice Durand via PacketFence-users <[email protected] <mailto:[email protected]>> wrote: Ok so if the "ip netns exec dpsad ping 10.99.20.32" then you should be able to join the server to the domain. Also take care to set the domain and the dns name in upper case. Le 2018-06-15 à 09:25, Steven Pfister via PacketFence-users a écrit :We had an extra nic in this server, but it's causing a lot of problems, so we've just removed it altogether for now. The" ip netns exec dpsad ping" command worked just fine. [root@PacketFence-ZEN ~]# ip route get 10.99.20.32 10.99.20.32 dev eth0 src 10.99.19.240 cache [root@PacketFence-ZEN ~]# ip route default via 10.99.20.1 dev eth0 10.99.16.0/21 <http://10.99.16.0/21> dev eth0 proto kernel scope link src 10.99.19.240 169.254.0.0/30 <http://169.254.0.0/30> dev dpsad-b proto kernel scope link src 169.254.0.2 169.254.0.0/16 <http://169.254.0.0/16> dev eth0 scope link metric 1002 169.254.0.0/16 <http://169.254.0.0/16> dev eth1 scope link metric 1003 169.254.0.0/16 <http://169.254.0.0/16> dev eth2 scope link metric 1004 169.254.0.0/16 <http://169.254.0.0/16> dev eth0.2 scope link metric 1005 169.254.0.0/16 <http://169.254.0.0/16> dev eth0.3 scope link metric 1006 192.168.220.0/24 <http://192.168.220.0/24> dev eth1 proto kernel scope link src 192.168.220.10 192.168.221.0/24 <http://192.168.221.0/24> dev eth2 proto kernel scope link src 192.168.221.10 On Fri, Jun 15, 2018 at 9:13 AM, Fabrice Durand via PacketFence-users <[email protected] <mailto:[email protected]>> wrote: It looks that you have 2 ip on the interface eth0 and packetfence use the first one to nat the chroot traffic (10.99.19.240/21 <http://10.99.19.240/21>) You will probably need to remove the second one (10.99.21.1/21 <http://10.99.21.1/21>) Can you try the following (replace 10.0.0.1 by the AD ip address): ip netns exec dpsad ping 10.0.0.1 and let me know if it works. Also can you do (and paste me the result): ip route get 10.0.0.1 ip route Regards Fabrice Le 2018-06-15 à 09:03, Steven Pfister via PacketFence-users a écrit :By the way, the server was rebooted last night after I left and the routing issues seem to have stopped. It still isn't able to join the domain though. We need to join the server to the domain in order to authentication against it, is that correct? On Thu, Jun 14, 2018 at 7:25 PM, Durand fabrice via PacketFence-users <[email protected] <mailto:[email protected]>> wrote: Hello Steven, 169.254.0.0 is a virtual interface to be able to link a virtual network namespace used by the chroot where winbind is running. Can you post the result of: ip a and the content of /usr/local/pf/var/conf/iptables.conf Regards Fabrice Le 2018-06-14 à 17:39, Steven Pfister via PacketFence-users a écrit :We are in the middle of trying to join our AD server in order to authenticate against it. After adding our domain, it's not able to join it. It's added a virtual interface and some routing for the 169.254.0.0 network. I'm not sure what the routing table is supposed to look like. I'm having trouble pinging addresses outside our network. Pinging addresses in the same subnet as the server is working. Has anyone seen this issue? Thanks! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Steve PfisterTechnology Services Dayton Public Schools 115 S Ludlow St Dayton OH 45402„1812 937„542„3149 office 937„542„3154 ( tel:9375423154 ) fax ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durand[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Steve PfisterTechnology Services Dayton Public Schools 115 S Ludlow St Dayton OH 45402„1812 937„542„3149 office 937„542„3154 ( tel:9375423154 ) fax ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durand[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Steve PfisterTechnology Services Dayton Public Schools 115 S Ludlow St Dayton OH 45402„1812 937„542„3149 office 937„542„3154 ( tel:9375423154 ) fax ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users>-- Fabrice Durand[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- Steve Pfister Technology Services Dayton Public Schools 115 S Ludlow St Dayton OH 45402„1812 937„542„3149 office 937„542„3154 ( tel:9375423154 ) fax ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
-- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
