[Samba] Samba4 - Win7 RSAT tools - global catalog (GC) cannot be contacted

[Thomas Harold]

Fresh install of 4.0.6 from source on CentOS 6 minimal.  Provisioning 
worked fine as did adding a Win7 Pro machine to the domain.  Now trying 
to use the RSAT (Remote System Administration Tools), specifically the 
Active Directory Users and Computers tool.

When looking at the properties for the "Administrator" account, clicking 
on the "Member Of" tab results in a 30 second wait, then the error 
message of "global catalog (GC) cannot be contacted".

Once I click through the error message, it displays the groups that the 
account is a member of.

Config file is:

# Global parameters
[global]
        workgroup = EXAMPLE
        realm = HQ.EXAMPLE.COM
        netbios name = ATHENS
        server role = active directory domain controller
        dns forwarder = 172.30.0.1

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/hq.example.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

My guess is that this is an iptables error, although I followed the 
instructions on the wiki to open up the appropriate ports.  Not sure 
what port/protocol I missed.

https://wiki.samba.org/index.php/Configure_your_firewall

/etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:6932]
:NFSCHECK - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -j NFSCHECK
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 
2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 
2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -j RETURN
COMMIT
# Completed on Fri May 24 21:51:36 2013
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba