Hello ! I got the exact same issue ! Do you have a command to reload PacketFence iptable configuration ?
Regards, Adrian. De: "packetfence-users" <packetfence-users@lists.sourceforge.net> À: "Geert Heremans" <heremans.ge...@gmail.com>, "packetfence-users" <packetfence-users@lists.sourceforge.net> Cc: "Durand fabrice" <fdur...@inverse.ca> Envoyé: Mercredi 7 Octobre 2020 15:30:09 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Ok so it looks that you iptables config is not able to load. It's probably related to NETFLOW kernel module. You have 2 choices, the first one: edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j NETFLOW" or do a yum update , if there is a new kernel then reboot the server then do yum reinstall dkms-ipt-netflow Then once done check again iptables -L -n -v , if it's more verbose then retry to join to the domain, it should work. Regards Fabrice Le 20-10-07 à 09 h 23, Geert Heremans a écrit : Hello Fabrice of course. Anything that helps. The output of the iptables -L -n -v command you'll find below: BQ_BEGIN BQ_BEGIN Chain INPUT (policy ACCEPT 1891K packets, 332M bytes) BQ_BEGIN pkts bytes target prot opt in out source destination BQ_END BQ_BEGIN BQ_END BQ_BEGIN Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes) BQ_END BQ_BEGIN pkts bytes target prot opt in out source destination BQ_END BQ_BEGIN BQ_END BQ_BEGIN Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes) BQ_END BQ_BEGIN pkts bytes target prot opt in out source destination BQ_END BQ_END Below the contents of the iptables.conf file. Also attached to this email # Copyright (C) Inverse inc. # iptables template # This file is manipulated on PacketFence's startup before being given to iptables *filter ### INPUT ### :INPUT DROP [0:0] # accept loopback stuff -A INPUT --in-interface lo --jump ACCEPT # accept anything related -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT # Accept Ping (easier troubleshooting) -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT :input-management-if - [0:0] # SSH -A input-management-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT # HTTP and HTTPS for the portal -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT # Web Admin -A input-management-if --protocol tcp --match tcp --dport %%web_admin_port%% --jump ACCEPT # Webservices -A input-management-if --protocol tcp --match tcp --dport %%webservices_port%% --jump ACCEPT # AAA -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%% --jump ACCEPT # Unified API -A input-management-if --protocol tcp --match tcp --dport %%unifiedapi_port%% --jump ACCEPT # httpd.portal modstatus -A input-management-if --protocol tcp --match tcp --dport %%httpd_portal_modstatus%% --jump ACCEPT # httpd.collector -A input-management-if --protocol tcp --match tcp --dport %%httpd_collector_port%% --jump ACCEPT # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for haproxy-portal, 1026 for haproxy-db #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump ACCEPT # Netdata -A input-management-if --protocol tcp --match tcp --dport 19999 --jump ACCEPT # RADIUS -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT # RADIUS (eduroam virtual-server) %%eduroam_radius_virtualserver%% # SNMP Traps -A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs) -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT # OpenVAS Administration Interface -A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT # Nessus Administration Interface -A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT # PacketFence-PKI # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump ACCEPT # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT # Fingerbank collector (replication, Netflow, API, sFlow) -A input-management-if --protocol udp --match udp --dport 1192 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 2055 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 4723 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 6343 --jump ACCEPT # VRRP -A input-management-if -d [ http://224.0.0.0/8 | 224.0.0.0/8 ] -j ACCEPT -A input-management-if -p vrrp -j ACCEPT # Mysql -A input-management-if --protocol tcp --match tcp --dport 3306 --jump ACCEPT # Syslog -A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT :input-portal-if - [0:0] -A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT :input-radius-if - [0:0] -A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT -A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT -A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT -A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT -A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT -A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT -A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT %%eduroam_radius_listening%% :input-dns-if - [0:0] -A input-dns-if --protocol tcp --match tcp --dport 53 --jump ACCEPT -A input-dns-if --protocol udp --match udp --dport 53 --jump ACCEPT :input-dhcp-if - [0:0] -A input-dhcp-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-dhcp-if --protocol tcp --match tcp --dport 67 --jump ACCEPT :input-internal-vlan-if - [0:0] # DNS -A input-internal-vlan-if --protocol tcp --match tcp --dport 53 --jump ACCEPT -A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump ACCEPT # HTTP (captive-portal) -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT -A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT # HTTP (parking portal) -A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT %%input_inter_vlan_if%% :input-internal-isol_vlan-if - [0:0] # DNS -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53 --jump ACCEPT -A input-internal-isol_vlan-if --protocol udp --match udp --dport 53 --jump ACCEPT # DHCP -A input-internal-isol_vlan-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67 --jump ACCEPT # HTTP (captive-portal) -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT # HTTP (parking portal) -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT %%input_inter_isol_vlan_if%% :input-internal-inline-if - [0:0] # DNS -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --jump ACCEPT -A input-internal-inline-if --protocol udp --match udp --dport 53 --jump ACCEPT # HTTP (captive-portal) # prevent registered users from reaching it # TODO: Must work in dispatcher and Catalyst to redirect registered client out of the portal #-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match mark --mark 0x1 --jump DROP #-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match mark --mark 0x1 --jump DROP # allow everyone else behind inline interface (not registered, isolated, etc.) -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT -A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump ACCEPT %%input_inter_inline_rules%% :input-highavailability-if - [0:0] #SSH -A input-highavailability-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT #Galera autofix -A input-highavailability-if --protocol udp --match udp --dport 4253 --jump ACCEPT #Galera cluster -A input-highavailability-if --protocol tcp --match tcp --dport 4444 --jump ACCEPT -A input-highavailability-if --protocol tcp --match tcp --dport 4567 --jump ACCEPT -A input-highavailability-if --protocol tcp --match tcp --dport 4568 --jump ACCEPT #PacketFence MariaDB Quorum server -A input-highavailability-if --protocol tcp --match tcp --dport 7890 --jump ACCEPT -A input-highavailability-if --protocol tcp --match tcp --dport 7891 --jump ACCEPT # Corosync -A input-highavailability-if --protocol udp --match udp --dport 5405 --jump ACCEPT -A input-highavailability-if --protocol udp --match udp --dport 5407 --jump ACCEPT #DRBD -A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump ACCEPT # Heartbeat -A input-highavailability-if --protocol udp --match udp --dport 694 --jump ACCEPT #PCS -A input-highavailability-if --protocol tcp --match tcp --dport 2224 --jump ACCEPT -A input-highavailability-if --protocol tcp --match tcp --dport 3121 --jump ACCEPT -A input-highavailability-if --protocol tcp --match tcp --dport 21064 --jump ACCEPT # These will redirect to the proper chains based on conf/pf.conf's configuration %%filter_if_src_to_chain%% ### FORWARD ### :FORWARD DROP [0:0] -I FORWARD -j NETFLOW :forward-internal-vlan-if - [0:0] %%filter_forward_vlan%% :forward-internal-isolvlan-if - [0:0] %%filter_forward_isol_vlan%% :forward-internal-inline-if - [0:0] %%filter_forward_inline%% %%filter_forward%% %%filter_forward_domain%% :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :prerouting-int-inline-if - [0:0] %%mangle_prerouting_inline%% :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :postrouting-int-inline-if - [0:0] %%mangle_postrouting_inline%% # These will redirect to the proper chains based on conf/pf.conf's configuration %%mangle_if_src_to_chain%% COMMIT *nat :PREROUTING ACCEPT [0:0] :prerouting-int-inline-if - [0:0] :postrouting-inline-routed - [0:0] :postrouting-int-inline-if - [0:0] :prerouting-int-vlan-if - [0:0] %%nat_prerouting_inline%% %%nat_prerouting_vlan%% :OUTPUT ACCEPT [0:0] # These will redirect to the proper chains based on conf/pf.conf's configuration %%nat_if_src_to_chain%% :POSTROUTING ACCEPT [0:0] %%nat_postrouting_inline%% # # Chain to enable routing instead of NAT # %%routed_postrouting_inline%% # # NAT out (PAT actually) # # If you want to do your own thing regarding NAT like for example: # - allowing through instead of doing NAT (make sure you have the proper return route) # - traffic out on some interface other than management # - overloading on multiple IP addresses # Comment the next two lines and do it here on the POSTROUTING chain. # Make sure to adjust the FORWARD rules also to allow traffic back-in. %%nat_postrouting_vlan%% # # Routing for the hidden domain network # %%domain_postrouting%% COMMIT Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] >: BQ_BEGIN Hello Geert, can you provide the file /usr/local/pf/var/conf/iptables.conf and the output of iptables -L -n -v Regards Fabrice Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : BQ_BEGIN Thank you Maile and others Really appreciate it. Putting the management network on the same as the DC din't work. Would it help if I joined the server using the net ads command end bypass the Join Domain function in PF? Best regards Geert Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia < [ mailto:maile.halatuit...@tcc.to | maile.halatuit...@tcc.to ] >: BQ_BEGIN Hi Geert I did have the same issue as yours but mine got fixed when I put my management interface on the same network where my Doman Controller is. To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management Interface is 10.0.1.y/24. After I made that changed , everything works just fine. Hope it will help you. Maile. From: Geert Heremans via PacketFence-users < [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] > Sent: Wednesday, 7 October 2020 9:59 AM To: [ mailto:packetfence-users@lists.sourceforge.net | packetfence-users@lists.sourceforge.net ] Cc: Geert Heremans < [ mailto:heremans.ge...@gmail.com | heremans.ge...@gmail.com ] > Subject: [PacketFence-users] Cannot join domain using GUI - net ads join works Hello everyone I'm trying to get my PF10 server to join my domain. The PF hostname is hades and my domain is [ http://sintcordula.be/ | sintcordula.be ] . Trying to join from the gui false because no DC is found. However when I try to join the server using the shell it works. The computer account is created in the domain. Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation Failed} The requested operation was unsuccessful. net ads join -s /etc/samba/scis2.conf -U XXXX Using short domain name -- SINTCORDULA Joined 'HADES' to dns domain ' [ http://sintcordula.be/ | SINTCORDULA.BE ] ' No DNS domain configured for hades. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER Can anyone point me into the right direction for debugging? Best Regards Geert Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. BQ_END _______________________________________________ PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net | PacketFence-users@lists.sourceforge.net ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] BQ_END -- Fabrice Durand [ mailto:fdur...@inverse.ca | fdur...@inverse.ca ] :: +1.514.447.4918 (x135) :: [ http://www.inverse.ca/ | www.inverse.ca ] Inverse inc. :: Leaders behind SOGo ( [ http://www.sogo.nu/ | http://www.sogo.nu ] ) and PacketFence ( [ http://packetfence.org/ | http://packetfence.org ] ) _______________________________________________ PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net | PacketFence-users@lists.sourceforge.net ] [ https://lists.sourceforge.net/lists/listinfo/packetfence-users | https://lists.sourceforge.net/lists/listinfo/packetfence-users ] BQ_END BQ_END -- Fabrice Durand [ mailto:fdur...@inverse.ca | fdur...@inverse.ca ] :: +1.514.447.4918 (x135) :: [ http://www.inverse.ca/ | www.inverse.ca ] Inverse inc. :: Leaders behind SOGo ( [ http://www.sogo.nu/ | http://www.sogo.nu ] ) and PacketFence ( [ http://packetfence.org/ | http://packetfence.org ] ) _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
