Adrian I did the Yum update if I remember correctly and rebooted the machine. Worked perfectly afterwards.
Best regards Geert Op ma 1 feb. 2021 om 17:13 schreef Adrian Dessaigne via PacketFence-users < packetfence-users@lists.sourceforge.net>: > Hello ! > > I got the exact same issue ! Do you have a command to reload PacketFence > iptable configuration ? > > Regards, > > Adrian. > > ------------------------------ > *De: *"packetfence-users" <packetfence-users@lists.sourceforge.net> > *À: *"Geert Heremans" <heremans.ge...@gmail.com>, "packetfence-users" < > packetfence-users@lists.sourceforge.net> > *Cc: *"Durand fabrice" <fdur...@inverse.ca> > *Envoyé: *Mercredi 7 Octobre 2020 15:30:09 > *Objet: *Re: [PacketFence-users] Cannot join domain using GUI - net ads > join works > > Ok so it looks that you iptables config is not able to load. > > It's probably related to NETFLOW kernel module. > > You have 2 choices, the first one: > > edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j > NETFLOW" > > or do a yum update , if there is a new kernel then reboot the server then > do yum reinstall dkms-ipt-netflow > > > Then once done check again iptables -L -n -v , if it's more verbose then > retry to join to the domain, it should work. > > > Regards > > Fabrice > > > Le 20-10-07 à 09 h 23, Geert Heremans a écrit : > > Hello Fabrice > > of course. Anything that helps. > > The output of the iptables -L -n -v command you'll find below: > > Chain INPUT (policy ACCEPT 1891K packets, 332M bytes) > > pkts bytes target prot opt in out source > destination > > > Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes) > > pkts bytes target prot opt in out source > destination > > > Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes) > > pkts bytes target prot opt in out source > destination > > > > Below the contents of the iptables.conf file. Also attached to this email > > # Copyright (C) Inverse inc. > # iptables template > # This file is manipulated on PacketFence's startup before being given to > iptables > *filter > > ### INPUT ### > :INPUT DROP [0:0] > # accept loopback stuff > -A INPUT --in-interface lo --jump ACCEPT > # accept anything related > -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT > # Accept Ping (easier troubleshooting) > -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT > > :input-management-if - [0:0] > # SSH > -A input-management-if --match state --state NEW --match tcp --protocol > tcp --dport 22 --jump ACCEPT > # HTTP and HTTPS for the portal > -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > # Web Admin > -A input-management-if --protocol tcp --match tcp --dport > %%web_admin_port%% --jump ACCEPT > # Webservices > -A input-management-if --protocol tcp --match tcp --dport > %%webservices_port%% --jump ACCEPT > # AAA > -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%% > --jump ACCEPT > # Unified API > -A input-management-if --protocol tcp --match tcp --dport > %%unifiedapi_port%% --jump ACCEPT > # httpd.portal modstatus > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_portal_modstatus%% --jump ACCEPT > # httpd.collector > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_collector_port%% --jump ACCEPT > # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for > haproxy-portal, 1026 for haproxy-db > #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump > ACCEPT > #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump > ACCEPT > # Netdata > -A input-management-if --protocol tcp --match tcp --dport 19999 --jump > ACCEPT > > # RADIUS > -A input-management-if --protocol tcp --match tcp --dport 1812 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 1812 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1813 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 1813 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1815 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 1815 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 2083 --jump > ACCEPT > # RADIUS (eduroam virtual-server) > %%eduroam_radius_virtualserver%% > # SNMP Traps > -A input-management-if --protocol udp --match udp --dport 162 --jump > ACCEPT > # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs) > -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT > # OpenVAS Administration Interface > -A input-management-if --protocol tcp --match tcp --dport 9392 --jump > ACCEPT > # Nessus Administration Interface > -A input-management-if --protocol tcp --match tcp --dport 8834 --jump > ACCEPT > # PacketFence-PKI > # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump > ACCEPT > # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump > ACCEPT > > # Fingerbank collector (replication, Netflow, API, sFlow) > -A input-management-if --protocol udp --match udp --dport 1192 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 2055 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 4723 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 6343 --jump > ACCEPT > > # VRRP > -A input-management-if -d 224.0.0.0/8 -j ACCEPT > -A input-management-if -p vrrp -j ACCEPT > # Mysql > -A input-management-if --protocol tcp --match tcp --dport 3306 --jump > ACCEPT > > # Syslog > -A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT > > :input-portal-if - [0:0] > -A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > > :input-radius-if - [0:0] > -A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT > -A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT > -A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT > -A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT > -A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT > -A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT > -A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT > %%eduroam_radius_listening%% > > :input-dns-if - [0:0] > -A input-dns-if --protocol tcp --match tcp --dport 53 --jump ACCEPT > -A input-dns-if --protocol udp --match udp --dport 53 --jump ACCEPT > > :input-dhcp-if - [0:0] > -A input-dhcp-if --protocol udp --match udp --dport 67 --jump ACCEPT > -A input-dhcp-if --protocol tcp --match tcp --dport 67 --jump ACCEPT > > > :input-internal-vlan-if - [0:0] > # DNS > -A input-internal-vlan-if --protocol tcp --match tcp --dport 53 --jump > ACCEPT > -A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump > ACCEPT > # HTTP (captive-portal) > -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump > ACCEPT > -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump > ACCEPT > -A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump > ACCEPT > # HTTP (parking portal) > -A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump > ACCEPT > %%input_inter_vlan_if%% > > > :input-internal-isol_vlan-if - [0:0] > # DNS > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53 > --jump ACCEPT > -A input-internal-isol_vlan-if --protocol udp --match udp --dport 53 > --jump ACCEPT > # DHCP > -A input-internal-isol_vlan-if --protocol udp --match udp --dport 67 > --jump ACCEPT > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67 > --jump ACCEPT > # HTTP (captive-portal) > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80 > --jump ACCEPT > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 > --jump ACCEPT > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 > --jump ACCEPT > # HTTP (parking portal) > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 > --jump ACCEPT > %%input_inter_isol_vlan_if%% > > :input-internal-inline-if - [0:0] > # DNS > -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --jump > ACCEPT > -A input-internal-inline-if --protocol udp --match udp --dport 53 --jump > ACCEPT > # HTTP (captive-portal) > # prevent registered users from reaching it > # TODO: Must work in dispatcher and Catalyst to redirect registered client > out of the portal > #-A input-internal-inline-if --protocol tcp --match tcp --dport 80 > --match mark --mark 0x1 --jump DROP > #-A input-internal-inline-if --protocol tcp --match tcp --dport 443 > --match mark --mark 0x1 --jump DROP > # allow everyone else behind inline interface (not registered, isolated, > etc.) > -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump > ACCEPT > -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump > ACCEPT > -A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump > ACCEPT > %%input_inter_inline_rules%% > > :input-highavailability-if - [0:0] > #SSH > -A input-highavailability-if --match state --state NEW --match tcp > --protocol tcp --dport 22 --jump ACCEPT > #Galera autofix > -A input-highavailability-if --protocol udp --match udp --dport 4253 > --jump ACCEPT > #Galera cluster > -A input-highavailability-if --protocol tcp --match tcp --dport 4444 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 4567 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 4568 > --jump ACCEPT > #PacketFence MariaDB Quorum server > -A input-highavailability-if --protocol tcp --match tcp --dport 7890 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 7891 > --jump ACCEPT > # Corosync > -A input-highavailability-if --protocol udp --match udp --dport 5405 > --jump ACCEPT > -A input-highavailability-if --protocol udp --match udp --dport 5407 > --jump ACCEPT > #DRBD > -A input-highavailability-if --protocol tcp --match tcp --dport 7788 > --jump ACCEPT > # Heartbeat > -A input-highavailability-if --protocol udp --match udp --dport 694 --jump > ACCEPT > #PCS > -A input-highavailability-if --protocol tcp --match tcp --dport 2224 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 3121 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 21064 > --jump ACCEPT > > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%filter_if_src_to_chain%% > > ### FORWARD ### > :FORWARD DROP [0:0] > -I FORWARD -j NETFLOW > > :forward-internal-vlan-if - [0:0] > %%filter_forward_vlan%% > > :forward-internal-isolvlan-if - [0:0] > %%filter_forward_isol_vlan%% > > :forward-internal-inline-if - [0:0] > %%filter_forward_inline%% > > %%filter_forward%% > > %%filter_forward_domain%% > > :OUTPUT ACCEPT [0:0] > > COMMIT > > *mangle > :PREROUTING ACCEPT [0:0] > :prerouting-int-inline-if - [0:0] > %%mangle_prerouting_inline%% > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :postrouting-int-inline-if - [0:0] > %%mangle_postrouting_inline%% > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%mangle_if_src_to_chain%% > COMMIT > > *nat > :PREROUTING ACCEPT [0:0] > :prerouting-int-inline-if - [0:0] > :postrouting-inline-routed - [0:0] > :postrouting-int-inline-if - [0:0] > :prerouting-int-vlan-if - [0:0] > > %%nat_prerouting_inline%% > %%nat_prerouting_vlan%% > > :OUTPUT ACCEPT [0:0] > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%nat_if_src_to_chain%% > > > :POSTROUTING ACCEPT [0:0] > > %%nat_postrouting_inline%% > > # > # Chain to enable routing instead of NAT > # > %%routed_postrouting_inline%% > > # > # NAT out (PAT actually) > # > # If you want to do your own thing regarding NAT like for example: > # - allowing through instead of doing NAT (make sure you have the proper > return route) > # - traffic out on some interface other than management > # - overloading on multiple IP addresses > # Comment the next two lines and do it here on the POSTROUTING chain. > # Make sure to adjust the FORWARD rules also to allow traffic back-in. > %%nat_postrouting_vlan%% > > # > # Routing for the hidden domain network > # > %%domain_postrouting%% > COMMIT > > Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users < > packetfence-users@lists.sourceforge.net>: > >> Hello Geert, >> >> >> can you provide the file /usr/local/pf/var/conf/iptables.conf and the >> output of iptables -L -n -v >> >> >> Regards >> >> Fabrice >> >> >> Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : >> >> Thank you Maile and others >> >> Really appreciate it. >> >> Putting the management network on the same as the DC din't work. >> >> Would it help if I joined the server using the net ads command end bypass >> the Join Domain function in PF? >> >> Best regards >> Geert >> >> Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia < >> maile.halatuit...@tcc.to>: >> >>> Hi Geert >>> >>> I did have the same issue as yours but mine got fixed when I put my >>> management interface on the same network where my Doman Controller is. >>> >>> To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management >>> Interface is 10.0.1.y/24. After I made that changed , everything works just >>> fine. Hope it will help you. >>> >>> Maile. >>> >>> >>> >>> *From:* Geert Heremans via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> >>> *Sent:* Wednesday, 7 October 2020 9:59 AM >>> *To:* packetfence-users@lists.sourceforge.net >>> *Cc:* Geert Heremans <heremans.ge...@gmail.com> >>> *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads >>> join works >>> >>> >>> >>> Hello everyone >>> >>> >>> >>> I'm trying to get my PF10 server to join my domain. The PF hostname is >>> hades and my domain is sintcordula.be. >>> >>> >>> >>> Trying to join from the gui false because no DC is found. >>> >>> >>> >>> However when I try to join the server using the shell it works. The >>> computer account is created in the domain. >>> >>> >>> >>> Failed to join domain: failed to find DC for domain SINTCORDULA - >>> {Operation Failed} The requested operation was unsuccessful. >>> >>> >>> >>> net ads join -s /etc/samba/scis2.conf -U XXXX >>> Using short domain name -- SINTCORDULA >>> Joined 'HADES' to dns domain 'SINTCORDULA.BE' >>> No DNS domain configured for hades. Unable to perform DNS Update. >>> DNS update failed: NT_STATUS_INVALID_PARAMETER >>> >>> >>> >>> Can anyone point me into the right direction for debugging? >>> >>> >>> >>> Best Regards >>> >>> Geert >>> >>> >>> >>> >>> >>> Confidentiality Notice: >>> >>> This email (including any attachment) is intended for internal use only. >>> Any unauthorized use, dissemination or copying of the content is >>> prohibited. If you are not the intended recipient and have received this >>> e-mail in error, please notify the sender by email and delete this email >>> and any attachment. >>> >>> Confidentiality Notice: >>> >>> This email (including any attachment) is intended for internal use only. >>> Any unauthorized use, dissemination or copying of the content is >>> prohibited. If you are not the intended recipient and have received this >>> e-mail in error, please notify the sender by email and delete this email >>> and any attachment. >>> >> >> >> _______________________________________________ >> PacketFence-users mailing >> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> -- >> Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > -- > Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users