Adrian
I did the Yum update if I remember correctly and rebooted the machine.
Worked perfectly afterwards.
Best regards
Geert
Op ma 1 feb. 2021 om 17:13 schreef Adrian Dessaigne via PacketFence-users <
packetfence-users@lists.sourceforge.net>:
> Hello !
>
> I got the exact same issue ! Do you have a command to reload PacketFence
> iptable configuration ?
>
> Regards,
>
> Adrian.
>
> ------------------------------
> *De: *"packetfence-users" <packetfence-users@lists.sourceforge.net>
> *À: *"Geert Heremans" <heremans.ge...@gmail.com>, "packetfence-users" <
> packetfence-users@lists.sourceforge.net>
> *Cc: *"Durand fabrice" <fdur...@inverse.ca>
> *Envoyé: *Mercredi 7 Octobre 2020 15:30:09
> *Objet: *Re: [PacketFence-users] Cannot join domain using GUI - net ads
> join works
>
> Ok so it looks that you iptables config is not able to load.
>
> It's probably related to NETFLOW kernel module.
>
> You have 2 choices, the first one:
>
> edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j
> NETFLOW"
>
> or do a yum update , if there is a new kernel then reboot the server then
> do yum reinstall dkms-ipt-netflow
>
>
> Then once done check again iptables -L -n -v , if it's more verbose then
> retry to join to the domain, it should work.
>
>
> Regards
>
> Fabrice
>
>
> Le 20-10-07 à 09 h 23, Geert Heremans a écrit :
>
> Hello Fabrice
>
> of course. Anything that helps.
>
> The output of the iptables -L -n -v command you'll find below:
>
> Chain INPUT (policy ACCEPT 1891K packets, 332M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
> Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
> Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Below the contents of the iptables.conf file. Also attached to this email
>
> # Copyright (C) Inverse inc.
> # iptables template
> # This file is manipulated on PacketFence's startup before being given to
> iptables
> *filter
>
> ### INPUT ###
> :INPUT DROP [0:0]
> # accept loopback stuff
> -A INPUT --in-interface lo --jump ACCEPT
> # accept anything related
> -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
> # Accept Ping (easier troubleshooting)
> -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
>
> :input-management-if - [0:0]
> # SSH
> -A input-management-if --match state --state NEW --match tcp --protocol
> tcp --dport 22 --jump ACCEPT
> # HTTP and HTTPS for the portal
> -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
> -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
> # Web Admin
> -A input-management-if --protocol tcp --match tcp --dport
> %%web_admin_port%% --jump ACCEPT
> # Webservices
> -A input-management-if --protocol tcp --match tcp --dport
> %%webservices_port%% --jump ACCEPT
> # AAA
> -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%%
> --jump ACCEPT
> # Unified API
> -A input-management-if --protocol tcp --match tcp --dport
> %%unifiedapi_port%% --jump ACCEPT
> # httpd.portal modstatus
> -A input-management-if --protocol tcp --match tcp --dport
> %%httpd_portal_modstatus%% --jump ACCEPT
> # httpd.collector
> -A input-management-if --protocol tcp --match tcp --dport
> %%httpd_collector_port%% --jump ACCEPT
> # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for
> haproxy-portal, 1026 for haproxy-db
> #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump
> ACCEPT
> #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump
> ACCEPT
> # Netdata
> -A input-management-if --protocol tcp --match tcp --dport 19999 --jump
> ACCEPT
>
> # RADIUS
> -A input-management-if --protocol tcp --match tcp --dport 1812 --jump
> ACCEPT
> -A input-management-if --protocol udp --match udp --dport 1812 --jump
> ACCEPT
> -A input-management-if --protocol tcp --match tcp --dport 1813 --jump
> ACCEPT
> -A input-management-if --protocol udp --match udp --dport 1813 --jump
> ACCEPT
> -A input-management-if --protocol tcp --match tcp --dport 1815 --jump
> ACCEPT
> -A input-management-if --protocol udp --match udp --dport 1815 --jump
> ACCEPT
> -A input-management-if --protocol tcp --match tcp --dport 2083 --jump
> ACCEPT
> # RADIUS (eduroam virtual-server)
> %%eduroam_radius_virtualserver%%
> # SNMP Traps
> -A input-management-if --protocol udp --match udp --dport 162 --jump
> ACCEPT
> # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
> -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT
> -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
> # OpenVAS Administration Interface
> -A input-management-if --protocol tcp --match tcp --dport 9392 --jump
> ACCEPT
> # Nessus Administration Interface
> -A input-management-if --protocol tcp --match tcp --dport 8834 --jump
> ACCEPT
> # PacketFence-PKI
> # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump
> ACCEPT
> # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump
> ACCEPT
>
> # Fingerbank collector (replication, Netflow, API, sFlow)
> -A input-management-if --protocol udp --match udp --dport 1192 --jump
> ACCEPT
> -A input-management-if --protocol udp --match udp --dport 2055 --jump
> ACCEPT
> -A input-management-if --protocol tcp --match tcp --dport 4723 --jump
> ACCEPT
> -A input-management-if --protocol udp --match udp --dport 6343 --jump
> ACCEPT
>
> # VRRP
> -A input-management-if -d 224.0.0.0/8 -j ACCEPT
> -A input-management-if -p vrrp -j ACCEPT
> # Mysql
> -A input-management-if --protocol tcp --match tcp --dport 3306 --jump
> ACCEPT
>
> # Syslog
> -A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT
>
> :input-portal-if - [0:0]
> -A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
> -A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
>
> :input-radius-if - [0:0]
> -A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
> -A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
> -A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
> -A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
> -A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
> -A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
> -A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
> %%eduroam_radius_listening%%
>
> :input-dns-if - [0:0]
> -A input-dns-if --protocol tcp --match tcp --dport 53 --jump ACCEPT
> -A input-dns-if --protocol udp --match udp --dport 53 --jump ACCEPT
>
> :input-dhcp-if - [0:0]
> -A input-dhcp-if --protocol udp --match udp --dport 67 --jump ACCEPT
> -A input-dhcp-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
>
>
> :input-internal-vlan-if - [0:0]
> # DNS
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 53 --jump
> ACCEPT
> -A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump
> ACCEPT
> # HTTP (captive-portal)
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump
> ACCEPT
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump
> ACCEPT
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump
> ACCEPT
> # HTTP (parking portal)
> -A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump
> ACCEPT
> %%input_inter_vlan_if%%
>
>
> :input-internal-isol_vlan-if - [0:0]
> # DNS
> -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53
> --jump ACCEPT
> -A input-internal-isol_vlan-if --protocol udp --match udp --dport 53
> --jump ACCEPT
> # DHCP
> -A input-internal-isol_vlan-if --protocol udp --match udp --dport 67
> --jump ACCEPT
> -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67
> --jump ACCEPT
> # HTTP (captive-portal)
> -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80
> --jump ACCEPT
> -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443
> --jump ACCEPT
> -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647
> --jump ACCEPT
> # HTTP (parking portal)
> -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252
> --jump ACCEPT
> %%input_inter_isol_vlan_if%%
>
> :input-internal-inline-if - [0:0]
> # DNS
> -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --jump
> ACCEPT
> -A input-internal-inline-if --protocol udp --match udp --dport 53 --jump
> ACCEPT
> # HTTP (captive-portal)
> # prevent registered users from reaching it
> # TODO: Must work in dispatcher and Catalyst to redirect registered client
> out of the portal
> #-A input-internal-inline-if --protocol tcp --match tcp --dport 80
> --match mark --mark 0x1 --jump DROP
> #-A input-internal-inline-if --protocol tcp --match tcp --dport 443
> --match mark --mark 0x1 --jump DROP
> # allow everyone else behind inline interface (not registered, isolated,
> etc.)
> -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump
> ACCEPT
> -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump
> ACCEPT
> -A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump
> ACCEPT
> %%input_inter_inline_rules%%
>
> :input-highavailability-if - [0:0]
> #SSH
> -A input-highavailability-if --match state --state NEW --match tcp
> --protocol tcp --dport 22 --jump ACCEPT
> #Galera autofix
> -A input-highavailability-if --protocol udp --match udp --dport 4253
> --jump ACCEPT
> #Galera cluster
> -A input-highavailability-if --protocol tcp --match tcp --dport 4444
> --jump ACCEPT
> -A input-highavailability-if --protocol tcp --match tcp --dport 4567
> --jump ACCEPT
> -A input-highavailability-if --protocol tcp --match tcp --dport 4568
> --jump ACCEPT
> #PacketFence MariaDB Quorum server
> -A input-highavailability-if --protocol tcp --match tcp --dport 7890
> --jump ACCEPT
> -A input-highavailability-if --protocol tcp --match tcp --dport 7891
> --jump ACCEPT
> # Corosync
> -A input-highavailability-if --protocol udp --match udp --dport 5405
> --jump ACCEPT
> -A input-highavailability-if --protocol udp --match udp --dport 5407
> --jump ACCEPT
> #DRBD
> -A input-highavailability-if --protocol tcp --match tcp --dport 7788
> --jump ACCEPT
> # Heartbeat
> -A input-highavailability-if --protocol udp --match udp --dport 694 --jump
> ACCEPT
> #PCS
> -A input-highavailability-if --protocol tcp --match tcp --dport 2224
> --jump ACCEPT
> -A input-highavailability-if --protocol tcp --match tcp --dport 3121
> --jump ACCEPT
> -A input-highavailability-if --protocol tcp --match tcp --dport 21064
> --jump ACCEPT
>
> # These will redirect to the proper chains based on conf/pf.conf's
> configuration
> %%filter_if_src_to_chain%%
>
> ### FORWARD ###
> :FORWARD DROP [0:0]
> -I FORWARD -j NETFLOW
>
> :forward-internal-vlan-if - [0:0]
> %%filter_forward_vlan%%
>
> :forward-internal-isolvlan-if - [0:0]
> %%filter_forward_isol_vlan%%
>
> :forward-internal-inline-if - [0:0]
> %%filter_forward_inline%%
>
> %%filter_forward%%
>
> %%filter_forward_domain%%
>
> :OUTPUT ACCEPT [0:0]
>
> COMMIT
>
> *mangle
> :PREROUTING ACCEPT [0:0]
> :prerouting-int-inline-if - [0:0]
> %%mangle_prerouting_inline%%
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :postrouting-int-inline-if - [0:0]
> %%mangle_postrouting_inline%%
> # These will redirect to the proper chains based on conf/pf.conf's
> configuration
> %%mangle_if_src_to_chain%%
> COMMIT
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :prerouting-int-inline-if - [0:0]
> :postrouting-inline-routed - [0:0]
> :postrouting-int-inline-if - [0:0]
> :prerouting-int-vlan-if - [0:0]
>
> %%nat_prerouting_inline%%
> %%nat_prerouting_vlan%%
>
> :OUTPUT ACCEPT [0:0]
> # These will redirect to the proper chains based on conf/pf.conf's
> configuration
> %%nat_if_src_to_chain%%
>
>
> :POSTROUTING ACCEPT [0:0]
>
> %%nat_postrouting_inline%%
>
> #
> # Chain to enable routing instead of NAT
> #
> %%routed_postrouting_inline%%
>
> #
> # NAT out (PAT actually)
> #
> # If you want to do your own thing regarding NAT like for example:
> # - allowing through instead of doing NAT (make sure you have the proper
> return route)
> # - traffic out on some interface other than management
> # - overloading on multiple IP addresses
> # Comment the next two lines and do it here on the POSTROUTING chain.
> # Make sure to adjust the FORWARD rules also to allow traffic back-in.
> %%nat_postrouting_vlan%%
>
> #
> # Routing for the hidden domain network
> #
> %%domain_postrouting%%
> COMMIT
>
> Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net>:
>
>> Hello Geert,
>>
>>
>> can you provide the file /usr/local/pf/var/conf/iptables.conf and the
>> output of iptables -L -n -v
>>
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit :
>>
>> Thank you Maile and others
>>
>> Really appreciate it.
>>
>> Putting the management network on the same as the DC din't work.
>>
>> Would it help if I joined the server using the net ads command end bypass
>> the Join Domain function in PF?
>>
>> Best regards
>> Geert
>>
>> Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia <
>> maile.halatuit...@tcc.to>:
>>
>>> Hi Geert
>>>
>>> I did have the same issue as yours but mine got fixed when I put my
>>> management interface on the same network where my Doman Controller is.
>>>
>>> To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management
>>> Interface is 10.0.1.y/24. After I made that changed , everything works just
>>> fine. Hope it will help you.
>>>
>>> Maile.
>>>
>>>
>>>
>>> *From:* Geert Heremans via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net>
>>> *Sent:* Wednesday, 7 October 2020 9:59 AM
>>> *To:* packetfence-users@lists.sourceforge.net
>>> *Cc:* Geert Heremans <heremans.ge...@gmail.com>
>>> *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads
>>> join works
>>>
>>>
>>>
>>> Hello everyone
>>>
>>>
>>>
>>> I'm trying to get my PF10 server to join my domain. The PF hostname is
>>> hades and my domain is sintcordula.be.
>>>
>>>
>>>
>>> Trying to join from the gui false because no DC is found.
>>>
>>>
>>>
>>> However when I try to join the server using the shell it works. The
>>> computer account is created in the domain.
>>>
>>>
>>>
>>> Failed to join domain: failed to find DC for domain SINTCORDULA -
>>> {Operation Failed} The requested operation was unsuccessful.
>>>
>>>
>>>
>>> net ads join -s /etc/samba/scis2.conf -U XXXX
>>> Using short domain name -- SINTCORDULA
>>> Joined 'HADES' to dns domain 'SINTCORDULA.BE'
>>> No DNS domain configured for hades. Unable to perform DNS Update.
>>> DNS update failed: NT_STATUS_INVALID_PARAMETER
>>>
>>>
>>>
>>> Can anyone point me into the right direction for debugging?
>>>
>>>
>>>
>>> Best Regards
>>>
>>> Geert
>>>
>>>
>>>
>>>
>>>
>>> Confidentiality Notice:
>>>
>>> This email (including any attachment) is intended for internal use only.
>>> Any unauthorized use, dissemination or copying of the content is
>>> prohibited. If you are not the intended recipient and have received this
>>> e-mail in error, please notify the sender by email and delete this email
>>> and any attachment.
>>>
>>> Confidentiality Notice:
>>>
>>> This email (including any attachment) is intended for internal use only.
>>> Any unauthorized use, dissemination or copying of the content is
>>> prohibited. If you are not the intended recipient and have received this
>>> e-mail in error, please notify the sender by email and delete this email
>>> and any attachment.
>>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> --
>> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
> --
> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
