Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Hi ! So quick update, I had to put my management interface on the same subnetwork as my AD is in. Working now. Adrian. De: "packetfence-users" À: "packetfence-users" Cc: "ADE" Envoyé: Mardi 2 Février 2021 09:29:40 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Thanks for your answers ! Here's an update I've edited /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j NETFLOW" (followed by systemctl restart packetfence-iptables) then used yum update,reinstalled dkms-ipt-netflow and rebooted. In last hope I use pf-maint.pl but the issues is still there. When testing these commands : -"chroot /chroots// net ads join -s /etc/samba/domain.conf -U user" is join the domain successfully. -"chroot /chroots/domain/ wbinfo -u" does list the users. -"chroot /chroots// net ads info -s /etc/samba/.conf" does give me the DC infos. On the web interface : -Failed to join domain: failed to find DC for domain I get this error when I click on "Join" and give user + password. But when I go in the Active Directoy tab or save the object after editing, it auto retry to join the domain and I get a 504 Error PS : I've deleted previous messages to lighten the mail. De: "packetfence-users" À: "packetfence-users" Cc: "ADE" Envoyé: Lundi 1 Février 2021 16:31:09 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Hello ! I got the exact same issue ! Do you have a command to reload PacketFence iptable configuration ? Regards, Adrian. De: "packetfence-users" À: "Geert Heremans" , "packetfence-users" Cc: "Durand fabrice" Envoyé: Mercredi 7 Octobre 2020 15:30:09 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Ok so it looks that you iptables config is not able to load. It's probably related to NETFLOW kernel module. You have 2 choices, the first one: edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j NETFLOW" or do a yum update , if there is a new kernel then reboot the server then do yum reinstall dkms-ipt-netflow Then once done check again iptables -L -n -v , if it's more verbose then retry to join to the domain, it should work. Regards Fabrice ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Thanks for your answers ! Here's an update I've edited /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j NETFLOW" (followed by systemctl restart packetfence-iptables) then used yum update,reinstalled dkms-ipt-netflow and rebooted. In last hope I use pf-maint.pl but the issues is still there. When testing these commands : -"chroot /chroots// net ads join -s /etc/samba/domain.conf -U user" is join the domain successfully. -"chroot /chroots/domain/ wbinfo -u" does list the users. -"chroot /chroots// net ads info -s /etc/samba/.conf" does give me the DC infos. On the web interface : -Failed to join domain: failed to find DC for domain I get this error when I click on "Join" and give user + password. But when I go in the Active Directoy tab or save the object after editing, it auto retry to join the domain and I get a 504 Error PS : I've deleted previous messages to lighten the mail. De: "packetfence-users" À: "packetfence-users" Cc: "ADE" Envoyé: Lundi 1 Février 2021 16:31:09 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Hello ! I got the exact same issue ! Do you have a command to reload PacketFence iptable configuration ? Regards, Adrian. De: "packetfence-users" À: "Geert Heremans" , "packetfence-users" Cc: "Durand fabrice" Envoyé: Mercredi 7 Octobre 2020 15:30:09 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Ok so it looks that you iptables config is not able to load. It's probably related to NETFLOW kernel module. You have 2 choices, the first one: edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j NETFLOW" or do a yum update , if there is a new kernel then reboot the server then do yum reinstall dkms-ipt-netflow Then once done check again iptables -L -n -v , if it's more verbose then retry to join to the domain, it should work. Regards Fabrice ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Adrian I did the Yum update if I remember correctly and rebooted the machine. Worked perfectly afterwards. Best regards Geert Op ma 1 feb. 2021 om 17:13 schreef Adrian Dessaigne via PacketFence-users < packetfence-users@lists.sourceforge.net>: > Hello ! > > I got the exact same issue ! Do you have a command to reload PacketFence > iptable configuration ? > > Regards, > > Adrian. > > -- > *De: *"packetfence-users" > *À: *"Geert Heremans" , "packetfence-users" < > packetfence-users@lists.sourceforge.net> > *Cc: *"Durand fabrice" > *Envoyé: *Mercredi 7 Octobre 2020 15:30:09 > *Objet: *Re: [PacketFence-users] Cannot join domain using GUI - net ads > join works > > Ok so it looks that you iptables config is not able to load. > > It's probably related to NETFLOW kernel module. > > You have 2 choices, the first one: > > edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j > NETFLOW" > > or do a yum update , if there is a new kernel then reboot the server then > do yum reinstall dkms-ipt-netflow > > > Then once done check again iptables -L -n -v , if it's more verbose then > retry to join to the domain, it should work. > > > Regards > > Fabrice > > > Le 20-10-07 à 09 h 23, Geert Heremans a écrit : > > Hello Fabrice > > of course. Anything that helps. > > The output of the iptables -L -n -v command you'll find below: > > Chain INPUT (policy ACCEPT 1891K packets, 332M bytes) > > pkts bytes target prot opt in out source > destination > > > Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes) > > pkts bytes target prot opt in out source > destination > > > Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes) > > pkts bytes target prot opt in out source > destination > > > > Below the contents of the iptables.conf file. Also attached to this email > > # Copyright (C) Inverse inc. > # iptables template > # This file is manipulated on PacketFence's startup before being given to > iptables > *filter > > ### INPUT ### > :INPUT DROP [0:0] > # accept loopback stuff > -A INPUT --in-interface lo --jump ACCEPT > # accept anything related > -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT > # Accept Ping (easier troubleshooting) > -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT > > :input-management-if - [0:0] > # SSH > -A input-management-if --match state --state NEW --match tcp --protocol > tcp --dport 22 --jump ACCEPT > # HTTP and HTTPS for the portal > -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > # Web Admin > -A input-management-if --protocol tcp --match tcp --dport > %%web_admin_port%% --jump ACCEPT > # Webservices > -A input-management-if --protocol tcp --match tcp --dport > %%webservices_port%% --jump ACCEPT > # AAA > -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%% > --jump ACCEPT > # Unified API > -A input-management-if --protocol tcp --match tcp --dport > %%unifiedapi_port%% --jump ACCEPT > # httpd.portal modstatus > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_portal_modstatus%% --jump ACCEPT > # httpd.collector > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_collector_port%% --jump ACCEPT > # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for > haproxy-portal, 1026 for haproxy-db > #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump > ACCEPT > #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump > ACCEPT > # Netdata > -A input-management-if --protocol tcp --match tcp --dport 1 --jump > ACCEPT > > # RADIUS > -A input-management-if --protocol tcp --match tcp --dport 1812 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 1812 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1813 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 1813 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1815 --jump > ACCEPT > -A input-management-if --protocol udp --match udp --dport 1815 --jump > ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 2083 --jump > ACCEPT > # RADIUS (eduroam virtual-server) > %%eduroam_radius_virtualserver%% > # SNMP Traps > -A input-management-if --protocol udp --match udp --dport 162 --jump > ACCEPT > # DHCP (for IP Helpers to mgmt to track users' IP in
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Hello Adrian, systemctl restart packetfence-iptables Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Feb 1, 2021, at 10:31 AM, Adrian Dessaigne via PacketFence-users > wrote: > > Hello ! > > I got the exact same issue ! Do you have a command to reload PacketFence > iptable configuration ? > > Regards, > > Adrian. > > De: "packetfence-users" > À: "Geert Heremans" , "packetfence-users" > > Cc: "Durand fabrice" > Envoyé: Mercredi 7 Octobre 2020 15:30:09 > Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join > works > > Ok so it looks that you iptables config is not able to load. > > It's probably related to NETFLOW kernel module. > > You have 2 choices, the first one: > > edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j > NETFLOW" > > or do a yum update , if there is a new kernel then reboot the server then do > yum reinstall dkms-ipt-netflow > > > > Then once done check again iptables -L -n -v , if it's more verbose then > retry to join to the domain, it should work. > > > > Regards > > Fabrice > > > > Le 20-10-07 à 09 h 23, Geert Heremans a écrit : > Hello Fabrice > > of course. Anything that helps. > > The output of the iptables -L -n -v command you'll find below: > > Chain INPUT (policy ACCEPT 1891K packets, 332M bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes) > pkts bytes target prot opt in out source > destination > > > Below the contents of the iptables.conf file. Also attached to this email > > # Copyright (C) Inverse inc. > # iptables template > # This file is manipulated on PacketFence's startup before being given to > iptables > *filter > > ### INPUT ### > :INPUT DROP [0:0] > # accept loopback stuff > -A INPUT --in-interface lo --jump ACCEPT > # accept anything related > -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT > # Accept Ping (easier troubleshooting) > -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT > > :input-management-if - [0:0] > # SSH > -A input-management-if --match state --state NEW --match tcp --protocol tcp > --dport 22 --jump ACCEPT > # HTTP and HTTPS for the portal > -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > # Web Admin > -A input-management-if --protocol tcp --match tcp --dport %%web_admin_port%% > --jump ACCEPT > # Webservices > -A input-management-if --protocol tcp --match tcp --dport > %%webservices_port%% --jump ACCEPT > # AAA > -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%% --jump > ACCEPT > # Unified API > -A input-management-if --protocol tcp --match tcp --dport %%unifiedapi_port%% > --jump ACCEPT > # httpd.portal modstatus > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_portal_modstatus%% --jump ACCEPT > # httpd.collector > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_collector_port%% --jump ACCEPT > # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for > haproxy-portal, 1026 for haproxy-db > #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT > #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump ACCEPT > # Netdata > -A input-management-if --protocol tcp --match tcp --dport 1 --jump ACCEPT > > # RADIUS > -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT > # RADIUS (eduroam virtual-server) > %%eduroam_radius_virtualserver%% > # SNMP Traps
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Hello ! I got the exact same issue ! Do you have a command to reload PacketFence iptable configuration ? Regards, Adrian. De: "packetfence-users" À: "Geert Heremans" , "packetfence-users" Cc: "Durand fabrice" Envoyé: Mercredi 7 Octobre 2020 15:30:09 Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join works Ok so it looks that you iptables config is not able to load. It's probably related to NETFLOW kernel module. You have 2 choices, the first one: edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j NETFLOW" or do a yum update , if there is a new kernel then reboot the server then do yum reinstall dkms-ipt-netflow Then once done check again iptables -L -n -v , if it's more verbose then retry to join to the domain, it should work. Regards Fabrice Le 20-10-07 à 09 h 23, Geert Heremans a écrit : Hello Fabrice of course. Anything that helps. The output of the iptables -L -n -v command you'll find below: BQ_BEGIN BQ_BEGIN Chain INPUT (policy ACCEPT 1891K packets, 332M bytes) BQ_BEGIN pkts bytes target prot opt in out source destination BQ_END BQ_BEGIN BQ_END BQ_BEGIN Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes) BQ_END BQ_BEGIN pkts bytes target prot opt in out source destination BQ_END BQ_BEGIN BQ_END BQ_BEGIN Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes) BQ_END BQ_BEGIN pkts bytes target prot opt in out source destination BQ_END BQ_END Below the contents of the iptables.conf file. Also attached to this email # Copyright (C) Inverse inc. # iptables template # This file is manipulated on PacketFence's startup before being given to iptables *filter ### INPUT ### :INPUT DROP [0:0] # accept loopback stuff -A INPUT --in-interface lo --jump ACCEPT # accept anything related -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT # Accept Ping (easier troubleshooting) -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT :input-management-if - [0:0] # SSH -A input-management-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT # HTTP and HTTPS for the portal -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT # Web Admin -A input-management-if --protocol tcp --match tcp --dport %%web_admin_port%% --jump ACCEPT # Webservices -A input-management-if --protocol tcp --match tcp --dport %%webservices_port%% --jump ACCEPT # AAA -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%% --jump ACCEPT # Unified API -A input-management-if --protocol tcp --match tcp --dport %%unifiedapi_port%% --jump ACCEPT # httpd.portal modstatus -A input-management-if --protocol tcp --match tcp --dport %%httpd_portal_modstatus%% --jump ACCEPT # httpd.collector -A input-management-if --protocol tcp --match tcp --dport %%httpd_collector_port%% --jump ACCEPT # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for haproxy-portal, 1026 for haproxy-db #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump ACCEPT # Netdata -A input-management-if --protocol tcp --match tcp --dport 1 --jump ACCEPT # RADIUS -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT # RADIUS (eduroam virtual-server) %%eduroam_radius_virtualserver%% # SNMP Traps -A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs) -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT # OpenVAS Administration Interface -A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT # Nessus Administration Interface -A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT # PacketFence-PKI # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump ACCEPT # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT # Fingerbank collector (replication, Netflow, API, sFlow) -A input-management-if --protocol udp --match udp --dport 1192 --jump ACCEPT -A input-management-if --protocol udp --match udp --dport 2055 --jump ACCEPT
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
otocol tcp --match tcp --dport 4568 > --jump ACCEPT > #PacketFence MariaDB Quorum server > -A input-highavailability-if --protocol tcp --match tcp --dport 7890 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 7891 > --jump ACCEPT > # Corosync > -A input-highavailability-if --protocol udp --match udp --dport 5405 > --jump ACCEPT > -A input-highavailability-if --protocol udp --match udp --dport 5407 > --jump ACCEPT > #DRBD > -A input-highavailability-if --protocol tcp --match tcp --dport 7788 > --jump ACCEPT > # Heartbeat > -A input-highavailability-if --protocol udp --match udp --dport 694 --jump > ACCEPT > #PCS > -A input-highavailability-if --protocol tcp --match tcp --dport 2224 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 3121 > --jump ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 21064 > --jump ACCEPT > > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%filter_if_src_to_chain%% > > ### FORWARD ### > :FORWARD DROP [0:0] > -I FORWARD -j NETFLOW > > :forward-internal-vlan-if - [0:0] > %%filter_forward_vlan%% > > :forward-internal-isolvlan-if - [0:0] > %%filter_forward_isol_vlan%% > > :forward-internal-inline-if - [0:0] > %%filter_forward_inline%% > > %%filter_forward%% > > %%filter_forward_domain%% > > :OUTPUT ACCEPT [0:0] > > COMMIT > > *mangle > :PREROUTING ACCEPT [0:0] > :prerouting-int-inline-if - [0:0] > %%mangle_prerouting_inline%% > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :postrouting-int-inline-if - [0:0] > %%mangle_postrouting_inline%% > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%mangle_if_src_to_chain%% > COMMIT > > *nat > :PREROUTING ACCEPT [0:0] > :prerouting-int-inline-if - [0:0] > :postrouting-inline-routed - [0:0] > :postrouting-int-inline-if - [0:0] > :prerouting-int-vlan-if - [0:0] > > %%nat_prerouting_inline%% > %%nat_prerouting_vlan%% > > :OUTPUT ACCEPT [0:0] > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%nat_if_src_to_chain%% > > > :POSTROUTING ACCEPT [0:0] > > %%nat_postrouting_inline%% > > # > # Chain to enable routing instead of NAT > # > %%routed_postrouting_inline%% > > # > # NAT out (PAT actually) > # > # If you want to do your own thing regarding NAT like for example: > # - allowing through instead of doing NAT (make sure you have the proper > return route) > # - traffic out on some interface other than management > # - overloading on multiple IP addresses > # Comment the next two lines and do it here on the POSTROUTING chain. > # Make sure to adjust the FORWARD rules also to allow traffic back-in. > %%nat_postrouting_vlan%% > > # > # Routing for the hidden domain network > # > %%domain_postrouting%% > COMMIT > > Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users < > packetfence-users@lists.sourceforge.net>: > >> Hello Geert, >> >> >> can you provide the file /usr/local/pf/var/conf/iptables.conf and the >> output of iptables -L -n -v >> >> >> Regards >> >> Fabrice >> >> >> Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : >> >> Thank you Maile and others >> >> Really appreciate it. >> >> Putting the management network on the same as the DC din't work. >> >> Would it help if I joined the server using the net ads command end bypass >> the Join Domain function in PF? >> >> Best regards >> Geert >> >> Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia < >> maile.halatuit...@tcc.to>: >> >>> Hi Geert >>> >>> I did have the same issue as yours but mine got fixed when I put my >>> management interface on the same network where my Doman Controller is. >>> >>> To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management >>> Interface is 10.0.1.y/24. After I made that changed , everything works just >>> fine. Hope it will help you. >>> >>> Maile. >>> >>> >>> >>> *From:* Geert Heremans via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> >>> *Sent:* Wednesday, 7 October 2020 9:59 AM >>> *To:* packetfence-users@lists.sourceforge.net >>> *Cc:* Geert Heremans >>> *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads >>> join works
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
nternal-isolvlan-if - [0:0] %%filter_forward_isol_vlan%% :forward-internal-inline-if - [0:0] %%filter_forward_inline%% %%filter_forward%% %%filter_forward_domain%% :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :prerouting-int-inline-if - [0:0] %%mangle_prerouting_inline%% :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :postrouting-int-inline-if - [0:0] %%mangle_postrouting_inline%% # These will redirect to the proper chains based on conf/pf.conf's configuration %%mangle_if_src_to_chain%% COMMIT *nat :PREROUTING ACCEPT [0:0] :prerouting-int-inline-if - [0:0] :postrouting-inline-routed - [0:0] :postrouting-int-inline-if - [0:0] :prerouting-int-vlan-if - [0:0] %%nat_prerouting_inline%% %%nat_prerouting_vlan%% :OUTPUT ACCEPT [0:0] # These will redirect to the proper chains based on conf/pf.conf's configuration %%nat_if_src_to_chain%% :POSTROUTING ACCEPT [0:0] %%nat_postrouting_inline%% # # Chain to enable routing instead of NAT # %%routed_postrouting_inline%% # # NAT out (PAT actually) # # If you want to do your own thing regarding NAT like for example: # - allowing through instead of doing NAT (make sure you have the proper return route) # - traffic out on some interface other than management # - overloading on multiple IP addresses # Comment the next two lines and do it here on the POSTROUTING chain. # Make sure to adjust the FORWARD rules also to allow traffic back-in. %%nat_postrouting_vlan%% # # Routing for the hidden domain network # %%domain_postrouting%% COMMIT Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users <mailto:packetfence-users@lists.sourceforge.net>>: Hello Geert, can you provide the file /usr/local/pf/var/conf/iptables.conf and the output of iptables -L -n -v Regards Fabrice Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : Thank you Maile and others Really appreciate it. Putting the management network on the same as the DC din't work. Would it help if I joined the server using the net ads command end bypass the Join Domain function in PF? Best regards Geert Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia mailto:maile.halatuit...@tcc.to>>: Hi Geert I did have the same issue as yours but mine got fixed when I put my management interface on the same network where my Doman Controller is. To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management Interface is 10.0.1.y/24. After I made that changed , everything works just fine. Hope it will help you. Maile. *From:*Geert Heremans via PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> *Sent:* Wednesday, 7 October 2020 9:59 AM *To:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Cc:* Geert Heremans mailto:heremans.ge...@gmail.com>> *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads join works Hello everyone I'm trying to get my PF10 server to join my domain. The PF hostname is hades and my domain is sintcordula.be <http://sintcordula.be>. Trying to join from the gui false because no DC is found. However when I try to join the server using the shell it works. The computer account is created in the domain. Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation Failed} The requested operation was unsuccessful. net ads join -s /etc/samba/scis2.conf -U Using short domain name -- SINTCORDULA Joined 'HADES' to dns domain 'SINTCORDULA.BE <http://SINTCORDULA.BE>' No DNS domain configured for hades. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER Can anyone point me into the right direction for debugging? Best Regards Geert Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. ___ PacketFence-users mailing list Packet
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
%% :OUTPUT ACCEPT [0:0] # These will redirect to the proper chains based on conf/pf.conf's configuration %%nat_if_src_to_chain%% :POSTROUTING ACCEPT [0:0] %%nat_postrouting_inline%% # # Chain to enable routing instead of NAT # %%routed_postrouting_inline%% # # NAT out (PAT actually) # # If you want to do your own thing regarding NAT like for example: # - allowing through instead of doing NAT (make sure you have the proper return route) # - traffic out on some interface other than management # - overloading on multiple IP addresses # Comment the next two lines and do it here on the POSTROUTING chain. # Make sure to adjust the FORWARD rules also to allow traffic back-in. %%nat_postrouting_vlan%% # # Routing for the hidden domain network # %%domain_postrouting%% COMMIT Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users < packetfence-users@lists.sourceforge.net>: > Hello Geert, > > > can you provide the file /usr/local/pf/var/conf/iptables.conf and the > output of iptables -L -n -v > > > Regards > > Fabrice > > > Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : > > Thank you Maile and others > > Really appreciate it. > > Putting the management network on the same as the DC din't work. > > Would it help if I joined the server using the net ads command end bypass > the Join Domain function in PF? > > Best regards > Geert > > Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia < > maile.halatuit...@tcc.to>: > >> Hi Geert >> >> I did have the same issue as yours but mine got fixed when I put my >> management interface on the same network where my Doman Controller is. >> >> To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management >> Interface is 10.0.1.y/24. After I made that changed , everything works just >> fine. Hope it will help you. >> >> Maile. >> >> >> >> *From:* Geert Heremans via PacketFence-users < >> packetfence-users@lists.sourceforge.net> >> *Sent:* Wednesday, 7 October 2020 9:59 AM >> *To:* packetfence-users@lists.sourceforge.net >> *Cc:* Geert Heremans >> *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads >> join works >> >> >> >> Hello everyone >> >> >> >> I'm trying to get my PF10 server to join my domain. The PF hostname is >> hades and my domain is sintcordula.be. >> >> >> >> Trying to join from the gui false because no DC is found. >> >> >> >> However when I try to join the server using the shell it works. The >> computer account is created in the domain. >> >> >> >> Failed to join domain: failed to find DC for domain SINTCORDULA - >> {Operation Failed} The requested operation was unsuccessful. >> >> >> >> net ads join -s /etc/samba/scis2.conf -U >> Using short domain name -- SINTCORDULA >> Joined 'HADES' to dns domain 'SINTCORDULA.BE' >> No DNS domain configured for hades. Unable to perform DNS Update. >> DNS update failed: NT_STATUS_INVALID_PARAMETER >> >> >> >> Can anyone point me into the right direction for debugging? >> >> >> >> Best Regards >> >> Geert >> >> >> >> >> >> Confidentiality Notice: >> >> This email (including any attachment) is intended for internal use only. >> Any unauthorized use, dissemination or copying of the content is >> prohibited. If you are not the intended recipient and have received this >> e-mail in error, please notify the sender by email and delete this email >> and any attachment. >> >> Confidentiality Notice: >> >> This email (including any attachment) is intended for internal use only. >> Any unauthorized use, dissemination or copying of the content is >> prohibited. If you are not the intended recipient and have received this >> e-mail in error, please notify the sender by email and delete this email >> and any attachment. >> > > > ___ > PacketFence-users mailing > listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice durandfdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > iptables.conf Description: Binary data ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Hello Geert, can you provide the file /usr/local/pf/var/conf/iptables.conf and the output of iptables -L -n -v Regards Fabrice Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : Thank you Maile and others Really appreciate it. Putting the management network on the same as the DC din't work. Would it help if I joined the server using the net ads command end bypass the Join Domain function in PF? Best regards Geert Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia mailto:maile.halatuit...@tcc.to>>: Hi Geert I did have the same issue as yours but mine got fixed when I put my management interface on the same network where my Doman Controller is. To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management Interface is 10.0.1.y/24. After I made that changed , everything works just fine. Hope it will help you. Maile. *From:*Geert Heremans via PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> *Sent:* Wednesday, 7 October 2020 9:59 AM *To:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Cc:* Geert Heremans mailto:heremans.ge...@gmail.com>> *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads join works Hello everyone I'm trying to get my PF10 server to join my domain. The PF hostname is hades and my domain is sintcordula.be <http://sintcordula.be>. Trying to join from the gui false because no DC is found. However when I try to join the server using the shell it works. The computer account is created in the domain. Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation Failed} The requested operation was unsuccessful. net ads join -s /etc/samba/scis2.conf -U Using short domain name -- SINTCORDULA Joined 'HADES' to dns domain 'SINTCORDULA.BE <http://SINTCORDULA.BE>' No DNS domain configured for hades. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER Can anyone point me into the right direction for debugging? Best Regards Geert Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Thank you Maile and others Really appreciate it. Putting the management network on the same as the DC din't work. Would it help if I joined the server using the net ads command end bypass the Join Domain function in PF? Best regards Geert Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia < maile.halatuit...@tcc.to>: > Hi Geert > > I did have the same issue as yours but mine got fixed when I put my > management interface on the same network where my Doman Controller is. > > To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management > Interface is 10.0.1.y/24. After I made that changed , everything works just > fine. Hope it will help you. > > Maile. > > > > *From:* Geert Heremans via PacketFence-users < > packetfence-users@lists.sourceforge.net> > *Sent:* Wednesday, 7 October 2020 9:59 AM > *To:* packetfence-users@lists.sourceforge.net > *Cc:* Geert Heremans > *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads > join works > > > > Hello everyone > > > > I'm trying to get my PF10 server to join my domain. The PF hostname is > hades and my domain is sintcordula.be. > > > > Trying to join from the gui false because no DC is found. > > > > However when I try to join the server using the shell it works. The > computer account is created in the domain. > > > > Failed to join domain: failed to find DC for domain SINTCORDULA - > {Operation Failed} The requested operation was unsuccessful. > > > > net ads join -s /etc/samba/scis2.conf -U > Using short domain name -- SINTCORDULA > Joined 'HADES' to dns domain 'SINTCORDULA.BE' > No DNS domain configured for hades. Unable to perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER > > > > Can anyone point me into the right direction for debugging? > > > > Best Regards > > Geert > > > > > > Confidentiality Notice: > > This email (including any attachment) is intended for internal use only. > Any unauthorized use, dissemination or copying of the content is > prohibited. If you are not the intended recipient and have received this > e-mail in error, please notify the sender by email and delete this email > and any attachment. > > Confidentiality Notice: > > This email (including any attachment) is intended for internal use only. > Any unauthorized use, dissemination or copying of the content is > prohibited. If you are not the intended recipient and have received this > e-mail in error, please notify the sender by email and delete this email > and any attachment. > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Hi Geert I did have the same issue as yours but mine got fixed when I put my management interface on the same network where my Doman Controller is. To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management Interface is 10.0.1.y/24. After I made that changed , everything works just fine. Hope it will help you. Maile. From: Geert Heremans via PacketFence-users Sent: Wednesday, 7 October 2020 9:59 AM To: packetfence-users@lists.sourceforge.net Cc: Geert Heremans Subject: [PacketFence-users] Cannot join domain using GUI - net ads join works Hello everyone I'm trying to get my PF10 server to join my domain. The PF hostname is hades and my domain is sintcordula.be<http://sintcordula.be>. Trying to join from the gui false because no DC is found. However when I try to join the server using the shell it works. The computer account is created in the domain. Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation Failed} The requested operation was unsuccessful. net ads join -s /etc/samba/scis2.conf -U Using short domain name -- SINTCORDULA Joined 'HADES' to dns domain 'SINTCORDULA.BE<http://SINTCORDULA.BE>' No DNS domain configured for hades. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER Can anyone point me into the right direction for debugging? Best Regards Geert Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Have you tried joining using the full domain name, that is, with the .be part? On Wed, Oct 7, 2020, 8:17 AM Geert Heremans via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello everyone > > I'm trying to get my PF10 server to join my domain. The PF hostname is > hades and my domain is sintcordula.be. > > Trying to join from the gui false because no DC is found. > > However when I try to join the server using the shell it works. The > computer account is created in the domain. > > Failed to join domain: failed to find DC for domain SINTCORDULA - > {Operation Failed} The requested operation was unsuccessful. > > net ads join -s /etc/samba/scis2.conf -U > Using short domain name -- SINTCORDULA > Joined 'HADES' to dns domain 'SINTCORDULA.BE' > No DNS domain configured for hades. Unable to perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER > > Can anyone point me into the right direction for debugging? > > Best Regards > Geert > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
FWIW I had this problem when I tried to specify an OU besides the default. Even if I pre-created the Packetfence object as specified, it still didn't work. I had to keep the OU default. Thanks. From: Geert Heremans via PacketFence-users Sent: Tuesday, October 6, 2020 4:58 PM To: packetfence-users@lists.sourceforge.net Cc: Geert Heremans Subject: [PacketFence-users] Cannot join domain using GUI - net ads join works Hello everyone I'm trying to get my PF10 server to join my domain. The PF hostname is hades and my domain is sintcordula.be<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsintcordula.be%2F=02%7C01%7Cronaldoley%40kings.edu%7C0c3ba24a79304b67b4cc08d86a801f57%7C93faac0947da4186be23130043bb3418%7C0%7C1%7C637376445822440585=HR54h59TvjZclzBLOvzEDGCj0Sn%2B90SpLHJkqiLvWxg%3D=0>. Trying to join from the gui false because no DC is found. However when I try to join the server using the shell it works. The computer account is created in the domain. Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation Failed} The requested operation was unsuccessful. net ads join -s /etc/samba/scis2.conf -U Using short domain name -- SINTCORDULA Joined 'HADES' to dns domain 'SINTCORDULA.BE<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsintcordula.be%2F=02%7C01%7Cronaldoley%40kings.edu%7C0c3ba24a79304b67b4cc08d86a801f57%7C93faac0947da4186be23130043bb3418%7C0%7C1%7C637376445822450583=YVkQoEvggPxxsa3FRiDq%2B1qxVlbrC%2BOPH8basto9yks%3D=0>' No DNS domain configured for hades. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER Can anyone point me into the right direction for debugging? Best Regards Geert ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Cannot join domain using GUI - net ads join works
Hello Gents I did in fact try it using the tld of the domain. Without succes however. I've kept the Standard computer ou for the Creation of the account. Also to no available. Would it help of I Precreated a computer account with the same name as the server? Or would this give a conflict as of triest to Create an account with the same name? Best r egards Geert Op wo 7 okt. 2020 07:25 schreef Oley, Ronald : > FWIW I had this problem when I tried to specify an OU besides the > default. Even if I pre-created the Packetfence object as specified, it > still didn't work. I had to keep the OU default. > > Thanks. > -- > *From:* Geert Heremans via PacketFence-users < > packetfence-users@lists.sourceforge.net> > *Sent:* Tuesday, October 6, 2020 4:58 PM > *To:* packetfence-users@lists.sourceforge.net < > packetfence-users@lists.sourceforge.net> > *Cc:* Geert Heremans > *Subject:* [PacketFence-users] Cannot join domain using GUI - net ads > join works > > Hello everyone > > I'm trying to get my PF10 server to join my domain. The PF hostname is > hades and my domain is sintcordula.be > <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsintcordula.be%2F=02%7C01%7Cronaldoley%40kings.edu%7C0c3ba24a79304b67b4cc08d86a801f57%7C93faac0947da4186be23130043bb3418%7C0%7C1%7C637376445822440585=HR54h59TvjZclzBLOvzEDGCj0Sn%2B90SpLHJkqiLvWxg%3D=0> > . > > Trying to join from the gui false because no DC is found. > > However when I try to join the server using the shell it works. The > computer account is created in the domain. > > Failed to join domain: failed to find DC for domain SINTCORDULA - > {Operation Failed} The requested operation was unsuccessful. > > net ads join -s /etc/samba/scis2.conf -U > Using short domain name -- SINTCORDULA > Joined 'HADES' to dns domain 'SINTCORDULA.BE > <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsintcordula.be%2F=02%7C01%7Cronaldoley%40kings.edu%7C0c3ba24a79304b67b4cc08d86a801f57%7C93faac0947da4186be23130043bb3418%7C0%7C1%7C637376445822450583=YVkQoEvggPxxsa3FRiDq%2B1qxVlbrC%2BOPH8basto9yks%3D=0> > ' > No DNS domain configured for hades. Unable to perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER > > Can anyone point me into the right direction for debugging? > > Best Regards > Geert > > > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Cannot join domain using GUI - net ads join works
Hello everyone I'm trying to get my PF10 server to join my domain. The PF hostname is hades and my domain is sintcordula.be. Trying to join from the gui false because no DC is found. However when I try to join the server using the shell it works. The computer account is created in the domain. Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation Failed} The requested operation was unsuccessful. net ads join -s /etc/samba/scis2.conf -U Using short domain name -- SINTCORDULA Joined 'HADES' to dns domain 'SINTCORDULA.BE' No DNS domain configured for hades. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER Can anyone point me into the right direction for debugging? Best Regards Geert ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users