I just feel like an idiot now...
So apparently pf received the DMZ IP of my DC however a direct connection
through ens224.100 failed. After turning the interface down (and therefore
forcing the traffic through my pfSense) it worked... I just changed the order
of the DNS entries and am now receiving the correct IP.
After manipulating my hosts file to get rid of another error, I joined the
domain successful.
Thank you all for your help!
Regards
Christian
-----Ursprüngliche Nachricht-----
Von: Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Gesendet: Samstag, 25. Januar 2020 14:34
An: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice <fdur...@inverse.ca>
Betreff: Re: [PacketFence-users] Failed to join domain
Hi
It looks that samba try to connect to 10.0.0.101 (vlan 100).
ads_try_connect: sending CLDAP request to 10.0.0.101 (realm:
<DOMAIN>)
ads_cldap_netlogon: did not get a reply
Are you able to ping 10.0.0.101 ?
Also in your pfsense allow any/any from pf to 10.0.0.101.
Regards
Fabrice
Le 20-01-25 à 07 h 34, Christian Hillebrand via PacketFence-users a écrit :
> Hi,
> unfortunately I just found enough time to check your suggestions:
> I added a static route to direct traffic from 169.254.0.0/30 to my pf
> machine (10.0.1.2).
> I tried to find my dc but with no luck.
> When enabling the debug mode I could see that I am getting the correct
> DNS entries back (however not complete as my DC has thee IPs
> 10.0.0.101 &
> 10.0.1.101 and I am only getting the first one) but am not able to
> connect...
> The port to which the connection should be established is in fact open.
> In the log below I replaced the Domains with the generic domain <domain>.
> My workgroup is basically my domain without the tld, just to avoid
> confusion.
>
> net ads info -s /etc/samba/<DomainID>.conf -d 10 returned:
> INFO: Current debug levels:
> all: 10
> [...]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> INFO: Current debug levels:
> [...]
> Processing section "[global]"
> doing parameter workgroup = <WORKGROUP>
> doing parameter realm = <domain>
> doing parameter netbios name = localhost
> doing parameter server string = localhost
> doing parameter pid directory = /usr/local/pf/var/run/<DomainID>
> doing parameter lock directory = /var/cache/samba
> doing parameter private dir = /var/cache/samba
> doing parameter security = ADS
> doing parameter winbind use default domain = no
> doing parameter idmap uid = 600-20000
> WARNING: The "idmap uid" option is deprecated
> doing parameter idmap gid = 600-20000
> WARNING: The "idmap gid" option is deprecated
> doing parameter template shell = /bin/bash
> doing parameter winbind expand groups = 10
> doing parameter password server = *
> doing parameter domain master = no
> doing parameter local master = no
> doing parameter preferred master = no
> doing parameter inherit permissions = yes
> doing parameter admin users = @<WORKGROUP>\"domain admins"
> doing parameter hide files =
> /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
> doing parameter veto files = /lost+found/
> doing parameter allow trusted domains = yes
> doing parameter show add printer wizard = no
> doing parameter disable spoolss = yes
> doing parameter load printers = no
> doing parameter printing = bsd
> doing parameter printcap name = /dev/null
> doing parameter usershare max shares = 0
> doing parameter browseable = no
> doing parameter guest ok = no
> doing parameter machine password timeout = 0
> doing parameter client ipc signing = auto
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> messaging_dgm_ref: messaging_dgm_init returned Erfolg
> messaging_dgm_ref: unique = 16363321606826345832
> Registering messaging pointer for type 2 - private_data=(nil)
> Registering messaging pointer for type 9 - private_data=(nil)
> Registered MSG_REQ_POOL_USAGE
> Registering messaging pointer for type 11 - private_data=(nil)
> Registering messaging pointer for type 12 - private_data=(nil)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Registering messaging pointer for type 1 - private_data=(nil)
> Registering messaging pointer for type 5 - private_data=(nil)
> messaging_init: my id: 26541
> lp_load_ex: refreshing parameters
> Freeing parametrics:
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> INFO: Current debug levels:
> [...]
> Processing section "[global]"
> doing parameter workgroup = <WORKGROUP>
> doing parameter realm = <domain>
> doing parameter netbios name = localhost
> doing parameter server string = localhost
> doing parameter pid directory = /usr/local/pf/var/run/<DomainID>
> doing parameter lock directory = /var/cache/samba
> doing parameter private dir = /var/cache/samba
> doing parameter security = ADS
> doing parameter winbind use default domain = no
> doing parameter idmap uid = 600-20000
> WARNING: The "idmap uid" option is deprecated
> doing parameter idmap gid = 600-20000
> WARNING: The "idmap gid" option is deprecated
> doing parameter template shell = /bin/bash
> doing parameter winbind expand groups = 10
> doing parameter password server = *
> doing parameter domain master = no
> doing parameter local master = no
> doing parameter preferred master = no
> doing parameter inherit permissions = yes
> doing parameter admin users = @<WORKGROUP>\"domain admins"
> doing parameter hide files =
> /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
> doing parameter veto files = /lost+found/
> doing parameter allow trusted domains = yes
> doing parameter show add printer wizard = no
> doing parameter disable spoolss = yes
> doing parameter load printers = no
> doing parameter printing = bsd
> doing parameter printcap name = /dev/null
> doing parameter usershare max shares = 0
> doing parameter browseable = no
> doing parameter guest ok = no
> doing parameter machine password timeout = 0
> doing parameter client ipc signing = auto
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> Netbios name list:-
> my_netbios_names[0]="LOCALHOST"
> added interface ens192 ip=fda1:29bf:c056:4202:20c:29ff:fe85:5771
> bcast= netmask=ffff:ffff:ffff:ffff::
> added interface ens224 ip=fda1:29bf:c056:4202:20c:29ff:fe85:577b
> bcast= netmask=ffff:ffff:ffff:ffff::
> added interface <DomainID>-b ip=169.254.0.2 bcast=169.254.0.3
> netmask=255.255.255.252
> added interface ens224.100 ip=10.0.0.2 bcast=10.0.0.255
> netmask=255.255.255.0
> added interface ens192 ip=10.0.1.2 bcast=10.0.1.255
> netmask=255.255.255.0
> added interface ens224.102 ip=10.0.2.2 bcast=10.0.2.255
> netmask=255.255.255.0
> added interface ens224.103 ip=10.0.3.1 bcast=10.0.3.255
> netmask=255.255.255.0
> added interface ens224.109 ip=10.0.9.2 bcast=10.0.9.255
> netmask=255.255.255.0
> added interface ens224.254 ip=10.0.254.2 bcast=10.0.254.255
> netmask=255.255.255.0
> added interface ens224 ip=10.0.255.2 bcast=10.0.255.255
> netmask=255.255.255.0
> added interface ens224.10 ip=10.1.0.2 bcast=10.1.255.255
> netmask=255.255.0.0
> added interface ens224.20 ip=10.2.0.2 bcast=10.2.255.255
> netmask=255.255.0.0
> added interface ens224.30 ip=10.3.0.2 bcast=10.3.255.255
> netmask=255.255.0.0
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/cache/samba/gencache_notrans.tdb
> Adding cache entry with key=[AD_SITENAME/DOMAIN/<DOMAIN>] and
> timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past)
> Could not get allrecord lock on gencache_notrans.tdb: Locking error
> sitename_fetch: No stored sitename for realm '<DOMAIN>'
> resolve_and_ping_dns: (cldap) looking for realm '<DOMAIN>'
> get_sorted_dc_list: attempting lookup for name <DOMAIN> (sitename
> NULL)
> Adding cache entry with key=[SAFJOIN/DOMAIN/<DOMAIN>] and timeout=[Do
> Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past)
> Could not get allrecord lock on gencache_notrans.tdb: Locking error
> Adding cache entry with key=[SAF/DOMAIN/<DOMAIN>] and timeout=[Do Jan
> 1 00:00:00 1970 UTC] (-1579954161 seconds in the past)
> Could not get allrecord lock on gencache_notrans.tdb: Locking error
> saf_fetch: failed to find server for "<DOMAIN>" domain
> get_dc_list: preferred server list: ", *"
> internal_resolve_name: looking up <DOMAIN>#1c (sitename (null))
> Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Do Jan 1
> 00:00:00 1970 UTC] (-1579954161 seconds in the past)
> no entry for <DOMAIN>#1C found.
> resolve_ads: Attempting to resolve DCs for <DOMAIN> using DNS
> ads_dns_lookup_srv: 1 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed nas0.<domain> [0, 100, 389]
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> namecache_store: storing 1 address for <DOMAIN>#1c: 10.0.0.101
> Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Do Jan 1
> 00:00:00 1970 UTC] (-1579954166 seconds in the past)
> Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Sa Jan 25
> 12:20:26 2020 UTC] (660 seconds ahead)
> internal_resolve_name: returning 1 addresses: 10.0.0.101:389
> Adding 1 DC's from auto lookup
> Adding cache entry with key=[NEG_CONN_CACHE/<DOMAIN>,10.0.0.101] and
> timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954166 seconds in the past)
> check_negative_conn_cache returning result 0 for domain <DOMAIN>
> server 10.0.0.101
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> get_dc_list: returning 1 ip addresses in an ordered list
> get_dc_list: 10.0.0.101:389
> check_negative_conn_cache returning result 0 for domain <DOMAIN>
> server 10.0.0.101
> ads_try_connect: sending CLDAP request to 10.0.0.101 (realm:
> <DOMAIN>)
> ads_cldap_netlogon: did not get a reply
> ads_try_connect: CLDAP request 10.0.0.101 failed.
> Adding cache entry with key=[NEG_CONN_CACHE/<DOMAIN>,10.0.0.101] and
> timeout=[Sa Jan 25 12:10:32 2020 UTC] (60 seconds ahead)
> add_failed_connection_entry: added domain <DOMAIN> (10.0.0.101) to
> failed conn cache
> ads_find_dc: falling back to netbios name resolution for domain
> '<WORKGROUP>' (realm '<DOMAIN>')
> resolve_and_ping_netbios: (cldap) looking for domain '<WORKGROUP>'
> get_sorted_dc_list: attempting lookup for name <WORKGROUP> (sitename
> NULL)
> Adding cache entry with key=[SAFJOIN/DOMAIN/<WORKGROUP>] and
> timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past)
> Adding cache entry with key=[SAF/DOMAIN/<WORKGROUP>] and timeout=[Do
> Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past)
> saf_fetch: failed to find server for "<WORKGROUP>" domain
> get_dc_list: preferred server list: ", *"
> internal_resolve_name: looking up <WORKGROUP>#1c (sitename (null))
> Adding cache entry with key=[NBT/<WORKGROUP>#1C] and timeout=[Do Jan
> 1 00:00:00 1970 UTC] (-1579954172 seconds in the past)
> no entry for <WORKGROUP>#1C found.
> resolve_lmhosts: Attempting lmhosts lookup for name <WORKGROUP><0x1c>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> Datei oder Verzeichnis nicht gefunden
> resolve_wins: WINS server resolution selected and no WINS servers
> listed.
> resolve_hosts: not appropriate for name type <0x1c>
> name_resolve_bcast: Attempting broadcast lookup for name
> <WORKGROUP><0x1c>
> tstream_unix_connect failed: Datei oder Verzeichnis nicht gefunden
> nmbd not around
> [x10]
> Adding 0 DC's from auto lookup
> get_dc_list: no servers found
> ads_find_dc: name resolution for realm '<DOMAIN>' (domain
> '<WORKGROUP>') failed: NT_STATUS_NO_LOGON_SERVERS
> ads_connect: No logon servers
> Adding cache entry with key=[AD_SITENAME/DOMAIN/<DOMAIN>] and
> timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past)
> sitename_fetch: No stored sitename for realm '<DOMAIN>'
> resolve_and_ping_dns: (cldap) looking for realm '<DOMAIN>'
> get_sorted_dc_list: attempting lookup for name <DOMAIN> (sitename
> NULL)
> Adding cache entry with key=[SAFJOIN/DOMAIN/<DOMAIN>] and timeout=[Do
> Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past)
> Adding cache entry with key=[SAF/DOMAIN/<DOMAIN>] and timeout=[Do Jan
> 1 00:00:00 1970 UTC] (-1579954173 seconds in the past)
> saf_fetch: failed to find server for "<DOMAIN>" domain
> get_dc_list: preferred server list: ", *"
> internal_resolve_name: looking up <DOMAIN>#1c (sitename (null))
> name <DOMAIN>#1C found.
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> Adding 1 DC's from auto lookup
> check_negative_conn_cache returning result -1073741823 for domain
> <DOMAIN> server 10.0.0.101
> get_dc_list: negative entry 10.0.0.101 removed from DC list
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> get_dc_list: returning 0 ip addresses in an ordered list
> get_dc_list:
> ads_find_dc: falling back to netbios name resolution for domain
> '<WORKGROUP>' (realm '<DOMAIN>')
> resolve_and_ping_netbios: (cldap) looking for domain '<WORKGROUP>'
> get_sorted_dc_list: attempting lookup for name <WORKGROUP> (sitename
> NULL)
> saf_fetch: failed to find server for "<WORKGROUP>" domain
> get_dc_list: preferred server list: ", *"
> internal_resolve_name: looking up <WORKGROUP>#1c (sitename (null))
> no entry for <WORKGROUP>#1C found.
> resolve_lmhosts: Attempting lmhosts lookup for name <WORKGROUP><0x1c>
> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
> Datei oder Verzeichnis nicht gefunden
> resolve_wins: WINS server resolution selected and no WINS servers
> listed.
> resolve_hosts: not appropriate for name type <0x1c>
> name_resolve_bcast: Attempting broadcast lookup for name
> <WORKGROUP><0x1c>
> tstream_unix_connect failed: Datei oder Verzeichnis nicht gefunden
> nmbd not around
> [x10]
> Adding 0 DC's from auto lookup
> get_dc_list: no servers found
> ads_find_dc: name resolution for realm '<DOMAIN>' (domain
> '<WORKGROUP>') failed: NT_STATUS_NO_LOGON_SERVERS
> ads_connect: No logon servers
> Didn't find the ldap server!
> return code = -1
> msg_dgm_ref_destructor: refs=(nil)
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Nicolas Quiniou-Briand via PacketFence-users
> <packetfence-users@lists.sourceforge.net>
> Gesendet: Montag, 13. Januar 2020 16:08
> An: packetfence-users@lists.sourceforge.net
> Cc: Nicolas Quiniou-Briand <n...@inverse.ca>
> Betreff: Re: [PacketFence-users] Failed to join domain
>
> Hello Christian,
>
> In your domain chroot, try following commands:
>
> #v+
>
> ### Check if you can find a DC with your current configuration # net
> ads info -s /etc/samba/<mydomain>.conf ## debug # net ads info -s
> /etc/samba/<mydomain>.conf -d 10
>
> ### Run a domain join manually
> # net ads join -s /etc/samba/<mydomain>.conf -U user ## debug # net
> ads join -s /etc/samba/<mydomain>.conf -U user -d 10
>
> #v-
>
> To enter in chroot: `chroot /chroots/<mydomain>`.
> --
> Nicolas Quiniou-Briand
> n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca
> Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
> (https://packetfence.org) and Fingerbank (http://fingerbank.org)
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
