Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hi Fabrice,

Pls see attached..

Regards,
Kehinde

On Thu, Aug 24, 2017 at 1:33 AM, Durand fabrice  wrote:

> no it's perfect, MYDOMAIN-b is the  link to the namespace.
>
> So the issue is probably iptables, can you paste the content of
> var/conf/iptables.conf ?
>
>
>
> Le 2017-08-23 à 17:20, Akala Kehinde a écrit :
>
> It appears  MYDOMAIN-b binds on the wrong interface?
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 11:17 PM, Akala Kehinde 
> wrote:
>
>> Hi Fabrice,
>>
>> See below:
>>
>> [root@pfence sysctl.d]# ip route
>> default via 172.16.7.1 dev eth1
>> 169.254.0.0/30 dev MYDOMAIN-b  proto kernel  scope link  src 169.254.0.2
>> 169.254.0.0/16 dev eth0  scope link  metric 1002
>> 169.254.0.0/16 dev eth1  scope link  metric 1003
>> 169.254.0.0/16 dev eth0.100  scope link  metric 1004
>> 169.254.0.0/16 dev eth0.101  scope link  metric 1005
>> 169.254.0.0/16 dev eth0.4  scope link  metric 1006
>> 169.254.0.0/16 dev eth0.5  scope link  metric 1007
>> 169.254.0.0/16 dev eth0.6  scope link  metric 1008
>> 169.254.0.0/16 dev eth0.98  scope link  metric 1009
>> 169.254.0.0/16 dev eth0.99  scope link  metric 1010
>> 172.16.4.0/24 dev eth0.4  proto kernel  scope link  src 172.16.4.2
>> 172.16.7.0/24 dev eth1  proto kernel  scope link  src 172.16.7.13
>> 172.16.98.0/24 dev eth0.98  proto kernel  scope link  src 172.16.98.1
>> 172.16.99.0/24 dev eth0.99  proto kernel  scope link  src 172.16.99.1
>> 172.16.100.0/24 dev eth0.100  proto kernel  scope link  src 172.16.100.10
>> 172.16.101.0/24 dev eth0.101  proto kernel  scope link  src 172.16.101.1
>> [root@pfence sysctl.d]#
>>
>> [root@pfence sysctl.d]# ip route get 172.16.7.10
>> 172.16.7.10 dev eth1  src 172.16.7.13
>> cache
>> [root@pfence sysctl.d]#
>>
>>
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 9:47 PM, Fabrice Durand 
>> wrote:
>>
>>> Ok so your issue is related to the route of the system.
>>>
>>> do:
>>>
>>> ip route
>>>
>>> and:
>>>
>>> ip route get 172.16.7.10
>>>
>>> restart iptables
>>>
>>>
>>>
>>> Le 2017-08-23 à 15:44, Akala Kehinde a écrit :
>>>
>>> Hi Fabrice,
>>>
>>> See below:
>>>
>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
>>> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.
>>>
>>> --- 172.16.7.10 ping statistics ---
>>> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms
>>>
>>> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de
>>> ;; connection timed out; trying next origin
>>> ;; connection timed out; no servers could be reached
>>>
>>> [root@pfence sysctl.d]#
>>>
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>

 Let's try that:

 ip netns exec MYDOMAIN ping 172.16.7.10

 ip netns exec MYDOMAIN nslookup www.google.de

 What is the result ?

 Le 2017-08-23 à 10:55, Akala Kehinde a écrit :

 Hello Fabrice,

 Was thinkig, could it be a problem with the winbindd itself.

 Regards,
 Kehinde

 On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde 
 wrote:

> Hallo Fabrice,
>
> [root@pfence sysctl.d]# cat 99-ip_forward.conf
> # ip forwarding enabled by packetfence
> net.ipv4.ip_forward = 1
>
> Checked timing already on both servers, it"s d same.
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via PacketFence-users
>  wrote:
>
>> Hello Akala,
>>
>> does ip_forward is enable ?
>>
>> does the time of the packetfence server is the same as the AD server ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>
>> Hello Fabrice,
>>
>> Kindly see below:
>>
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> Error looking up domain users
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Error looking up domain groups
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the trust secret for domain (null) via RPC calls failed
>> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Could not check secret
>> [root@pfence pf]#
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>> could not obtain winbind interface

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hi Fabrice,

See below:

[root@pfence sysctl.d]# ip route
default via 172.16.7.1 dev eth1
169.254.0.0/30 dev MYDOMAIN-b  proto kernel  scope link  src 169.254.0.2
169.254.0.0/16 dev eth0  scope link  metric 1002
169.254.0.0/16 dev eth1  scope link  metric 1003
169.254.0.0/16 dev eth0.100  scope link  metric 1004
169.254.0.0/16 dev eth0.101  scope link  metric 1005
169.254.0.0/16 dev eth0.4  scope link  metric 1006
169.254.0.0/16 dev eth0.5  scope link  metric 1007
169.254.0.0/16 dev eth0.6  scope link  metric 1008
169.254.0.0/16 dev eth0.98  scope link  metric 1009
169.254.0.0/16 dev eth0.99  scope link  metric 1010
172.16.4.0/24 dev eth0.4  proto kernel  scope link  src 172.16.4.2
172.16.7.0/24 dev eth1  proto kernel  scope link  src 172.16.7.13
172.16.98.0/24 dev eth0.98  proto kernel  scope link  src 172.16.98.1
172.16.99.0/24 dev eth0.99  proto kernel  scope link  src 172.16.99.1
172.16.100.0/24 dev eth0.100  proto kernel  scope link  src 172.16.100.10
172.16.101.0/24 dev eth0.101  proto kernel  scope link  src 172.16.101.1
[root@pfence sysctl.d]#

[root@pfence sysctl.d]# ip route get 172.16.7.10
172.16.7.10 dev eth1  src 172.16.7.13
cache
[root@pfence sysctl.d]#



Regards,
Kehinde

On Wed, Aug 23, 2017 at 9:47 PM, Fabrice Durand  wrote:

> Ok so your issue is related to the route of the system.
>
> do:
>
> ip route
>
> and:
>
> ip route get 172.16.7.10
>
> restart iptables
>
>
>
> Le 2017-08-23 à 15:44, Akala Kehinde a écrit :
>
> Hi Fabrice,
>
> See below:
>
> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.
>
> --- 172.16.7.10 ping statistics ---
> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms
>
> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de
> ;; connection timed out; trying next origin
> ;; connection timed out; no servers could be reached
>
> [root@pfence sysctl.d]#
>
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>>
>> Let's try that:
>>
>> ip netns exec MYDOMAIN ping 172.16.7.10
>>
>> ip netns exec MYDOMAIN nslookup www.google.de
>>
>> What is the result ?
>>
>> Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
>>
>> Hello Fabrice,
>>
>> Was thinkig, could it be a problem with the winbindd itself.
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde 
>> wrote:
>>
>>> Hallo Fabrice,
>>>
>>> [root@pfence sysctl.d]# cat 99-ip_forward.conf
>>> # ip forwarding enabled by packetfence
>>> net.ipv4.ip_forward = 1
>>>
>>> Checked timing already on both servers, it"s d same.
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 Hello Akala,

 does ip_forward is enable ?

 does the time of the packetfence server is the same as the AD server ?

 Regards

 Fabrice



 Le 2017-08-23 à 02:38, Akala Kehinde a écrit :

 Hello Fabrice,

 Kindly see below:

 [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
 could not obtain winbind interface details:
 WBC_ERR_WINBIND_NOT_AVAILABLE
 could not obtain winbind domain name!
 Error looking up domain users
 [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
 could not obtain winbind interface details:
 WBC_ERR_WINBIND_NOT_AVAILABLE
 could not obtain winbind domain name!
 failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
 Error looking up domain groups
 [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
 could not obtain winbind interface details:
 WBC_ERR_WINBIND_NOT_AVAILABLE
 could not obtain winbind domain name!
 checking the trust secret for domain (null) via RPC calls failed
 failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
 Could not check secret
 [root@pfence pf]#
 [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
 could not obtain winbind interface details:
 WBC_ERR_WINBIND_NOT_AVAILABLE
 could not obtain winbind domain name!
 checking the NETLOGON for domain[] dc connection to "" failed
 failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
 [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
 Ping to winbindd failed
 could not ping winbindd!
 [root@pfence pf]#


 Tested with TESTMAWOH.DE but still cannot join..
 It's driving me nuts:)

 Regards,
 Kehinde

 On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users <
 packetfence-users@lists.sourceforge.net> wrote:

> Hello Akala,
>
> what happen if you do that:
>
> chroot /chroots/MYDOMAIN
>
> wbinfo -u
>
> wbinfo -g
>
> if there is no usernames or groups displayed then try :
>
>

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hi Fabrice,

See below:

[root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.

--- 172.16.7.10 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21107ms

[root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

[root@pfence sysctl.d]#


Regards,
Kehinde

On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

>
> Let's try that:
>
> ip netns exec MYDOMAIN ping 172.16.7.10
>
> ip netns exec MYDOMAIN nslookup www.google.de
>
> What is the result ?
>
> Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
>
> Hello Fabrice,
>
> Was thinkig, could it be a problem with the winbindd itself.
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde 
> wrote:
>
>> Hallo Fabrice,
>>
>> [root@pfence sysctl.d]# cat 99-ip_forward.conf
>> # ip forwarding enabled by packetfence
>> net.ipv4.ip_forward = 1
>>
>> Checked timing already on both servers, it"s d same.
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Akala,
>>>
>>> does ip_forward is enable ?
>>>
>>> does the time of the packetfence server is the same as the AD server ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> Kindly see below:
>>>
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> Error looking up domain users
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Error looking up domain groups
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> checking the trust secret for domain (null) via RPC calls failed
>>> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Could not check secret
>>> [root@pfence pf]#
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> checking the NETLOGON for domain[] dc connection to "" failed
>>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>>> Ping to winbindd failed
>>> could not ping winbindd!
>>> [root@pfence pf]#
>>>
>>>
>>> Tested with TESTMAWOH.DE but still cannot join..
>>> It's driving me nuts:)
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> wrote:
>>>
 Hello Akala,

 what happen if you do that:

 chroot /chroots/MYDOMAIN

 wbinfo -u

 wbinfo -g

 if there is no usernames or groups displayed then try :

 dns_name=TESTMAWOH.DE
 and rejoin

 Regards
 Fabrice


 Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :


 Hello guys,

 I get this error when trying to join PF to an Active Directory Server:

 [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb
 aMYDOMAIN/log.winbindd
 [2017/08/23 02:20:34.196193,  0] ../source3/winbindd/winbindd_u
 til.c:869(init_domain_list)
   Could not fetch our SID - did we join?
 [2017/08/23 02:20:34.196275,  0] ../source3/winbindd/winbindd.c
 :1408(winbindd_register_handlers)
   unable to initialize domain list
 [2017/08/23 02:20:34.324267,  0] ../source3/winbindd/winbindd_c
 ache.c:3245(initialize_winbindd_cache)
   initialize_winbindd_cache: clearing cache and re-creating with
 version number 2
 [2017/08/23 02:20:34.333731,  0] ../source3/winbindd/winbindd_u
 til.c:869(init_domain_list)
   Could not fetch our SID - did we join?

 [root@pfence pf]#

 Below is my domain.conf file:

 [MYDOMAIN]
 ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u
 serAccountControl:1.2.840.113556.1.4.803:=2
 ntlm_cache=disabled
 registration=0
 ntlm_cache_expiry=3600
 dns_name=egelsbach.testmawoh.de
 dns_servers=172.16.7.10
 ou=Computers
 ntlm_cache_on_connection=disabled
 workgroup=TESTMAWOH
 ntlm_cache_batch_one_at_a_time=disabled
 sticky_dc=*
 ad_server=winserver.egelsbach.testmawoh.de
 ntlm_cache_batch=disabled
 server_name=pfence
 bind_pass=
 bind_dn=

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hello Fabrice,

Was thinkig, could it be a problem with the winbindd itself.

Regards,
Kehinde

On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde 
wrote:

> Hallo Fabrice,
>
> [root@pfence sysctl.d]# cat 99-ip_forward.conf
> # ip forwarding enabled by packetfence
> net.ipv4.ip_forward = 1
>
> Checked timing already on both servers, it"s d same.
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Akala,
>>
>> does ip_forward is enable ?
>>
>> does the time of the packetfence server is the same as the AD server ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>
>> Hello Fabrice,
>>
>> Kindly see below:
>>
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> Error looking up domain users
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Error looking up domain groups
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the trust secret for domain (null) via RPC calls failed
>> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Could not check secret
>> [root@pfence pf]#
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the NETLOGON for domain[] dc connection to "" failed
>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>> Ping to winbindd failed
>> could not ping winbindd!
>> [root@pfence pf]#
>>
>>
>> Tested with TESTMAWOH.DE but still cannot join..
>> It's driving me nuts:)
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Hello Akala,
>>>
>>> what happen if you do that:
>>>
>>> chroot /chroots/MYDOMAIN
>>>
>>> wbinfo -u
>>>
>>> wbinfo -g
>>>
>>> if there is no usernames or groups displayed then try :
>>>
>>> dns_name=TESTMAWOH.DE
>>> and rejoin
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :
>>>
>>>
>>> Hello guys,
>>>
>>> I get this error when trying to join PF to an Active Directory Server:
>>>
>>> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb
>>> aMYDOMAIN/log.winbindd
>>> [2017/08/23 02:20:34.196193,  0] ../source3/winbindd/winbindd_u
>>> til.c:869(init_domain_list)
>>>   Could not fetch our SID - did we join?
>>> [2017/08/23 02:20:34.196275,  0] ../source3/winbindd/winbindd.c
>>> :1408(winbindd_register_handlers)
>>>   unable to initialize domain list
>>> [2017/08/23 02:20:34.324267,  0] ../source3/winbindd/winbindd_c
>>> ache.c:3245(initialize_winbindd_cache)
>>>   initialize_winbindd_cache: clearing cache and re-creating with version
>>> number 2
>>> [2017/08/23 02:20:34.333731,  0] ../source3/winbindd/winbindd_u
>>> til.c:869(init_domain_list)
>>>   Could not fetch our SID - did we join?
>>>
>>> [root@pfence pf]#
>>>
>>> Below is my domain.conf file:
>>>
>>> [MYDOMAIN]
>>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u
>>> serAccountControl:1.2.840.113556.1.4.803:=2
>>> ntlm_cache=disabled
>>> registration=0
>>> ntlm_cache_expiry=3600
>>> dns_name=egelsbach.testmawoh.de
>>> dns_servers=172.16.7.10
>>> ou=Computers
>>> ntlm_cache_on_connection=disabled
>>> workgroup=TESTMAWOH
>>> ntlm_cache_batch_one_at_a_time=disabled
>>> sticky_dc=*
>>> ad_server=winserver.egelsbach.testmawoh.de
>>> ntlm_cache_batch=disabled
>>> server_name=pfence
>>> bind_pass=
>>> bind_dn=
>>>
>>> [root@pfence pf]# ps -efd | grep winbindd
>>> root 20052 1  7 04:15 ?00:00:14 winbindd-wrapper
>>> root 21912 20052  1 04:18 ?00:00:00 sudo chroot
>>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>>> /var/log/sambaMYDOMAIN --foreground
>>> root 21913 21912  0 04:18 ?00:00:00 /usr/sbin/winbindd -s
>>> /etc/samba/MYDOMAIN.conf -l /var/log/sambaMYDOMAIN --foreground
>>> root 21915  4173  0 04:18 ttyS000:00:00 grep --color=auto
>>> winbindd
>>>
>>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
>>> service|shouldBeStarted|pid
>>> winbindd|1|20052
>>> [root@pfence pf]#
>>>
>>> There is reachability between PF, the AD and DNS servers and all can
>>> resolve DNS queries.
>>>
>>> I have tried everything but just refuses to bind..Whatelse could be
>>> wrong pls?
>>>
>>>
>>> Regards,
>>> Kehinde
>>>
>>>
>>>

Re: [PacketFence-users] EAP-TTLS showing as connection type "Wireless-802.11-NoEAP"

2017-08-23 Thread Matt Munro via PacketFence-users 
Hi Louis,

Patch did the trick :)

Regards
Matt

On Wed, Aug 23, 2017 at 2:58 AM, Louis Munro  wrote:

> Hi Matt,
> Can you try this patch please?
>
> https://github.com/louismunro/packetfence/commit/
> 9231fb76249289cfcfbe2db25524e2d4206fd001.diff
>
> Apply it like this:
>
> # cd /usr/local/pf
> # wget -Ofix.patch https://github.com/louismunro/packetfence/commit/
> 9231fb76249289cfcfbe2db25524e2d4206fd001.diff
> # patch -p1 < fix.patch
> # cp conf/radiusd/packetfence-tunnel{.example,}
> # systemctl restart packetfence-radiusd-auth
>
>
> The issue seems to stem from a missing EAP-Type attribute inside the TLS
> tunnel when using TTLS.
> Please let us know if that helps.
>
> Regards,
> --
> Louis Munro
> lmu...@inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125 <(514)%20447-4918>  :: +1 (866) 353-6153 x125
> <(866)%20353-6153>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
> On Aug 22, 2017, at 01:45, Matt Munro via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hi Fabrice,
>
> I've attached the results of raddebug, only modified to remove the
> password.
>
> Thanks
>
> [image: Sacred Heart College]
> Matt Munro
> Network Administrator
> Brighton Road, Somerton Park SA 5044
> t: (08) 83502711
> e: mattmu...@shc.sa.edu.au
> www.shc.sa.edu.au
> CRICOS Provider No. 00626K
>
> On Tue, Aug 22, 2017 at 9:53 AM, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Matt,
>>
>> can you provide the result of raddebug -f var/run/radius.sock ?
>>
>> The answer will be in this debug and you will probably have to add some
>> unlang code in packetfence-tunnel.
>>
>> Regards
>>
>> Fabrice
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Fabrice Durand via PacketFence-users 
Ok so your issue is related to the route of the system.

do:

ip route

and:

ip route get 172.16.7.10

restart iptables



Le 2017-08-23 à 15:44, Akala Kehinde a écrit :
> Hi Fabrice,
>
> See below:
>
> [root@pfence sysctl.d]# ip netns exec MYDOMAIN ping 172.16.7.10
> PING 172.16.7.10 (172.16.7.10) 56(84) bytes of data.
>
> --- 172.16.7.10 ping statistics ---
> 22 packets transmitted, 0 received, 100% packet loss, time 21107ms
>
> [root@pfence sysctl.d]# ip netns exec MYDOMAIN nslookup www.google.de
> 
> ;; connection timed out; trying next origin
> ;; connection timed out; no servers could be reached
>
> [root@pfence sysctl.d]#
>
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 6:45 PM, Fabrice Durand via PacketFence-users
>  > wrote:
>
>
> Let's try that:
>
> ip netns exec MYDOMAIN ping 172.16.7.10
>
> ip netns exec MYDOMAIN nslookup www.google.de 
>
> What is the result ?
>
>
> Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
>> Hello Fabrice,
>>
>> Was thinkig, could it be a problem with the winbindd itself.
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde
>> > wrote:
>>
>> Hallo Fabrice,
>>
>> [root@pfence sysctl.d]# cat 99-ip_forward.conf
>> # ip forwarding enabled by packetfence
>> net.ipv4.ip_forward = 1
>>
>> Checked timing already on both servers, it"s d same.
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via
>> PacketFence-users > > wrote:
>>
>> Hello Akala,
>>
>> does ip_forward is enable ?
>>
>> does the time of the packetfence server is the same as
>> the AD server ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>>> Hello Fabrice,
>>>
>>> Kindly see below:
>>>
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> Error looking up domain users
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Error looking up domain groups
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> checking the trust secret for domain (null) via RPC
>>> calls failed
>>> failed to call wbcCheckTrustCredentials:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Could not check secret
>>> [root@pfence pf]#
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>>> could not obtain winbind interface details:
>>> WBC_ERR_WINBIND_NOT_AVAILABLE
>>> could not obtain winbind domain name!
>>> checking the NETLOGON for domain[] dc connection to ""
>>> failed
>>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>>> Ping to winbindd failed
>>> could not ping winbindd!
>>> [root@pfence pf]#
>>>
>>>
>>> Tested with TESTMAWOH.DE  but still
>>> cannot join.. 
>>> It's driving me nuts:)
>>>
>>> Regards,
>>> Kehinde
>>>
>>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via
>>> PacketFence-users
>>> >> > wrote:
>>>
>>> Hello Akala,
>>>
>>> what happen if you do that:
>>>
>>> chroot /chroots/MYDOMAIN
>>>
>>> wbinfo -u
>>>
>>> wbinfo -g
>>>
>>> if there is no usernames or groups displayed then try :
>>>
>>> dns_name=TESTMAWOH.DE 
>>>
>>> and rejoin
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2017-08-22 à 22:21, Akala Kehinde via
>>> PacketFence-users a écrit :

 Hello guys,

 I

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Fabrice Durand via PacketFence-users 

Let's try that:

ip netns exec MYDOMAIN ping 172.16.7.10

ip netns exec MYDOMAIN nslookup www.google.de

What is the result ?


Le 2017-08-23 à 10:55, Akala Kehinde a écrit :
> Hello Fabrice,
>
> Was thinkig, could it be a problem with the winbindd itself.
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 3:02 PM, Akala Kehinde  > wrote:
>
> Hallo Fabrice,
>
> [root@pfence sysctl.d]# cat 99-ip_forward.conf
> # ip forwarding enabled by packetfence
> net.ipv4.ip_forward = 1
>
> Checked timing already on both servers, it"s d same.
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via
> PacketFence-users  > wrote:
>
> Hello Akala,
>
> does ip_forward is enable ?
>
> does the time of the packetfence server is the same as the AD
> server ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>> Hello Fabrice,
>>
>> Kindly see below:
>>
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> Error looking up domain users
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Error looking up domain groups
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the trust secret for domain (null) via RPC calls failed
>> failed to call wbcCheckTrustCredentials:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> Could not check secret
>> [root@pfence pf]#
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the NETLOGON for domain[] dc connection to "" failed
>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
>> Ping to winbindd failed
>> could not ping winbindd!
>> [root@pfence pf]#
>>
>>
>> Tested with TESTMAWOH.DE  but still
>> cannot join.. 
>> It's driving me nuts:)
>>
>> Regards,
>> Kehinde
>>
>> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via
>> PacketFence-users > > wrote:
>>
>> Hello Akala,
>>
>> what happen if you do that:
>>
>> chroot /chroots/MYDOMAIN
>>
>> wbinfo -u
>>
>> wbinfo -g
>>
>> if there is no usernames or groups displayed then try :
>>
>> dns_name=TESTMAWOH.DE 
>>
>> and rejoin
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2017-08-22 à 22:21, Akala Kehinde via
>> PacketFence-users a écrit :
>>>
>>> Hello guys,
>>>
>>> I get this error when trying to join PF to an Active
>>> Directory Server:
>>>
>>> [root@pfence pf]# tail -f
>>> /chroots/MYDOMAIN/var/log/sambaMYDOMAIN/log.winbindd
>>> [2017/08/23 02:20:34.196193,  0]
>>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>>   Could not fetch our SID - did we join?
>>> [2017/08/23 02:20:34.196275,  0]
>>> ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
>>>   unable to initialize domain list
>>> [2017/08/23 02:20:34.324267,  0]
>>> 
>>> ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
>>>   initialize_winbindd_cache: clearing cache and
>>> re-creating with version number 2
>>> [2017/08/23 02:20:34.333731,  0]
>>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>>   Could not fetch our SID - did we join?
>>>
>>> [root@pfence pf]#
>>>
>>> Below is my domain.conf file:
>>>
>>> [MYDOMAIN]
>>> 
>>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
>>> ntlm_cache=disabled
>>> registration=0
>>> ntlm_cache_expiry=3600
>>>

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hallo Fabrice,

[root@pfence sysctl.d]# cat 99-ip_forward.conf
# ip forwarding enabled by packetfence
net.ipv4.ip_forward = 1

Checked timing already on both servers, it"s d same.

Regards,
Kehinde

On Wed, Aug 23, 2017 at 2:32 PM, Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Akala,
>
> does ip_forward is enable ?
>
> does the time of the packetfence server is the same as the AD server ?
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
>
> Hello Fabrice,
>
> Kindly see below:
>
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
> Error looking up domain groups
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the trust secret for domain (null) via RPC calls failed
> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not check secret
> [root@pfence pf]#
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the NETLOGON for domain[] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
> Ping to winbindd failed
> could not ping winbindd!
> [root@pfence pf]#
>
>
> Tested with TESTMAWOH.DE but still cannot join..
> It's driving me nuts:)
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Akala,
>>
>> what happen if you do that:
>>
>> chroot /chroots/MYDOMAIN
>>
>> wbinfo -u
>>
>> wbinfo -g
>>
>> if there is no usernames or groups displayed then try :
>>
>> dns_name=TESTMAWOH.DE
>> and rejoin
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :
>>
>>
>> Hello guys,
>>
>> I get this error when trying to join PF to an Active Directory Server:
>>
>> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb
>> aMYDOMAIN/log.winbindd
>> [2017/08/23 02:20:34.196193,  0] ../source3/winbindd/winbindd_u
>> til.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>> [2017/08/23 02:20:34.196275,  0] ../source3/winbindd/winbindd.c
>> :1408(winbindd_register_handlers)
>>   unable to initialize domain list
>> [2017/08/23 02:20:34.324267,  0] ../source3/winbindd/winbindd_c
>> ache.c:3245(initialize_winbindd_cache)
>>   initialize_winbindd_cache: clearing cache and re-creating with version
>> number 2
>> [2017/08/23 02:20:34.333731,  0] ../source3/winbindd/winbindd_u
>> til.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>>
>> [root@pfence pf]#
>>
>> Below is my domain.conf file:
>>
>> [MYDOMAIN]
>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u
>> serAccountControl:1.2.840.113556.1.4.803:=2
>> ntlm_cache=disabled
>> registration=0
>> ntlm_cache_expiry=3600
>> dns_name=egelsbach.testmawoh.de
>> dns_servers=172.16.7.10
>> ou=Computers
>> ntlm_cache_on_connection=disabled
>> workgroup=TESTMAWOH
>> ntlm_cache_batch_one_at_a_time=disabled
>> sticky_dc=*
>> ad_server=winserver.egelsbach.testmawoh.de
>> ntlm_cache_batch=disabled
>> server_name=pfence
>> bind_pass=
>> bind_dn=
>>
>> [root@pfence pf]# ps -efd | grep winbindd
>> root 20052 1  7 04:15 ?00:00:14 winbindd-wrapper
>> root 21912 20052  1 04:18 ?00:00:00 sudo chroot
>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>> /var/log/sambaMYDOMAIN --foreground
>> root 21913 21912  0 04:18 ?00:00:00 /usr/sbin/winbindd -s
>> /etc/samba/MYDOMAIN.conf -l /var/log/sambaMYDOMAIN --foreground
>> root 21915  4173  0 04:18 ttyS000:00:00 grep --color=auto winbindd
>>
>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
>> service|shouldBeStarted|pid
>> winbindd|1|20052
>> [root@pfence pf]#
>>
>> There is reachability between PF, the AD and DNS servers and all can
>> resolve DNS queries.
>>
>> I have tried everything but just refuses to bind..Whatelse could be wrong
>> pls?
>>
>>
>> Regards,
>> Kehinde
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>>

Re: [PacketFence-users] Disable Self Registration on PacketFence 7.2

2017-08-23 Thread Fabrice Durand via PacketFence-users 
Hello Chandra,

Create a new Root portal module and add a authentication login, then
create a new connection profile , add a filter based on per example the
ssid and assign a Root portal module that only do login.

To detect the network connectivity packetfence try to fetch a gif on
internet, so if you are using packetfence in out of band then be sure
that the device is able to reach internet once on the prod vlan,
If you are using inline mode then be sure that ip_forward has been
enable on the packetfence server and be sure that packetfence server is
able to reach internet.

Regards
Fabrice

Le 2017-08-23 à 06:09, Chandra Ardi Sancaka via PacketFence-users a écrit :
>
> Hi Guys,
>
>  
>
> I’m new to this application, so I got a question, it’s a simple one,
> but I couldn’t find the right answer to my problem.
>
>  
>
> The question is same as the subject : How to disable self registration
> on PF7.2
>
>  
>
> And anyone can point me to the right direction to solve this one to :
> unable to detect network connectivity. I’v done a little on the web,
> someone solved it but doesn’t explain how to.
>
>  
>
> Please just please help me
>
>  
>
> Regards,
>
>  
>
> Chandra.
>
>  
>
> Sent from Mail  for
> Windows 10
>
>  
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

2017-08-23 Thread Fabrice Durand via PacketFence-users 
Haproxy terminate the ssl tunnel and not apache anymore (for the portal).

So just this file is enough /usr/local/pf/conf/ssl/server.pem

Regards

Fabrice



Le 2017-08-23 à 03:24, Will Halsall via PacketFence-users a écrit :
>
> I just added the intermediate certificate to the cat process:
>
>  
>
> cat /usr/local/pf/conf/ssl/server.crt
> /usr/local/pf/conf/ssl/server.key
> /usr/local/pf/conf/ssl/intermediates.crt
> >/usr/local/pf/conf/ssl/server.pem
>
>  
>
>  
>
>  
>
> and  uncommented the intermediate certificate in ssl-certificates.conf
>
> Packetfence/conf/httpd.conf.d/ssl-certificates.conf:SSLCertificateChainFile
> %%install_dir%%/conf/ssl/intermediates.crt
>
>  
>
>  
>
> See if that helps
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *From:*Thomas, Gregory A via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Tuesday, August 22, 2017 8:21 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Thomas, Gregory A
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>  
>
> I know this is an older post but I am having some problems with the
> cert getting to the user’s computer.
>
>  
>
> I have concatenated the crt and key file to a pem. The thing is, I am
> using a wild card cert with a chain so on some machines the user is
> seeing an error of an invalid cert. When looking at the cert they are
> seeing it is from *.uwp.edu (which is the valid name) I am guessing it
> is invalid because it is missing the chain crt.
>
>  
>
> Is there any way to include the chain in the pem file?
>
>  
>
> --
>
> Gregory A. Thomas
>
> Student Life Support Specialist
>
> University of Wisconsin-Parkside
>
> thom...@uwp.edu
> 
>
> 262.595.2432
>
>  
>
> *From:*Virginie Girou [mailto:virginie.gi...@ut-capitole.fr]
> *Sent:* Tuesday, May 2, 2017 3:27 AM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>  
>
> Hello,
>
> thank you it works now !
>
> Virginie Girou
> Equipe systeme
> DSI - UT1 Capitole 
> Tel : +33 (0)5.61.63.39.19
>
> Le 28/04/2017 23:53, Sokolowski, Darryl a écrit :
>
> Fantastic!
>
> We’re up and running!
>
> Thanks again to all for your help!
>
>  
>
> Darryl
>
>  
>
> *From:*Louis Munro [mailto:lmu...@inverse.ca]
> *Sent:* Friday, April 28, 2017 5:46 PM
> *To:* packetfence-users@lists.sourceforge.net
> 
> *Subject:* Re: [PacketFence-users] Captive portal SSL not using
> defined cert after PF7 upgrade
>
>  
>
>  
>
> On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl
> > wrote:
>
>  
>
> Oh, ok, now I understand what Fabrice meant about haproxy
> terminating the ssl tunnel. Thanks for that explanation.
>
> Sorry, I didn’t pick that up right away.
>
>  
>
> I changed var/conf/haproxy.conf to point at my certificates,
> and every time I restart the service, it rewrites haproxy.conf
> file back to using server.pem.
>
>  
>
>  
>
> That's the expected behaviour.
>
> That file is actually generated based on your configuration, every
> time your start the service.
>
>  
>
>
>
> So reading your response again, it sounds like my concatenated
> certificate might need to be named ‘server.pem’.
>
> If I rename my certificate to ‘server.pem’, it works as desired.
>
> Is that the way to do it? Or am I still off-base?
>
>  
>
>  
>
> That's the way to go.
>
>  
>
>
>
> ‘server.pem’ won’t get overwritten by an ugrade?
>
>  
>
>  
>
> This is what the packetfence.spec file does: 
>
>  
>
> #Make ssl certificate
>
> if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then
>
> openssl req -x509 -new -nodes -days 365 -batch\
>
> -out /usr/local/pf/conf/ssl/server.crt\
>
> -keyout /usr/local/pf/conf/ssl/server.key\
>
> -nodes -config /usr/local/pf/conf/openssl.cnf
>
> cat /usr/local/pf/conf/ssl/server.crt 
> /usr/local/pf/conf/ssl/server.key > /usr/local/pf/conf/ssl/server.pem
>
> fi
>
> So as long as you have a file named
>  "/usr/local/pf/conf/ssl/server.crt" it won't overwrite the
> server.pem.
>
>
>
>  
>
>  
>
>  
>
> I agree that this should be configurable.
>
> I'm adding it to the whishlist for 7.1 or 7.2.
>
>  
>
>  
>
>  
>
> Regards,
> --
>
> Louis Munro
> lmu...@inverse.ca   ::  www.inverse.ca
>  
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu
> ) and PacketFence

Re: [PacketFence-users] Multiple Nessus scan policies possible on PF?

2017-08-23 Thread Fabrice Durand via PacketFence-users 
If Nessus support it then why not but it need to be coded in teh Nessus6
module.

Regards

Fabrice


Le 2017-08-23 à 03:01, Akala Kehinde a écrit :
> Hello Fabrice,
>
> Basically what I was trying to ask is if it's possible to attache more
> than 1 scan policy to a Nessus scan engine. Don't think it's possible.
> Except you create another engine with another policy, and attach both
> scan engines in the connection profile. 
>
> scan.conf
>
> [ENGINE1]
> ip=172.16.100.10
> scannername=Local Scanner
> duration=30s
> categories=staff
> port=8834
> registration=1
> username=nessusadmin
> post_registration=1
> password=pass
> pre_registration=0
> oses=202,1
> nessus_clientpolicy=basic
> type=nessus6
>
> [ENGINE2]
> ip=172.16.100.10
> scannername=Local Scanner
> duration=30s
> categories=staff
> port=8834
> registration=1
> username=nessusadmin
> post_registration=1
> password=pass
> pre_registration=0
> oses=202,1
> nessus_clientpolicy=wannacry
> type=nessus6
>
> Profile.conf
>
> [SNS]
> filter=port:7,port:8
> description=SNS PROFILE
> sources=LDAP
> redirecturl=http://www.mawoh.de
> logo=/common/mawoh.png
> root_module=SNS_PORTAL
> access_registration_when_registered=enabled
> scans=ENGINE1,ENGINE2
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 4:47 AM, Durand fabrice via PacketFence-users
>  > wrote:
>
> Hello Akala,
>
> yes, based on the os.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-08-18 à 15:44, Akala Kehinde via PacketFence-users a écrit :
>> Hello guys.
>>
>> Will like to know if it's possible to have more than 1 nessus
>> scan policy configured on PF.
>>
>> Regards,
>> Kehinde
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Fabrice Durand via PacketFence-users 
Hello Akala,

does ip_forward is enable ?

does the time of the packetfence server is the same as the AD server ?

Regards

Fabrice



Le 2017-08-23 à 02:38, Akala Kehinde a écrit :
> Hello Fabrice,
>
> Kindly see below:
>
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
> Error looking up domain groups
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the trust secret for domain (null) via RPC calls failed
> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not check secret
> [root@pfence pf]#
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the NETLOGON for domain[] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
> Ping to winbindd failed
> could not ping winbindd!
> [root@pfence pf]#
>
>
> Tested with TESTMAWOH.DE  but still cannot join.. 
> It's driving me nuts:)
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users
>  > wrote:
>
> Hello Akala,
>
> what happen if you do that:
>
> chroot /chroots/MYDOMAIN
>
> wbinfo -u
>
> wbinfo -g
>
> if there is no usernames or groups displayed then try :
>
> dns_name=TESTMAWOH.DE 
>
> and rejoin
>
> Regards
> Fabrice
>
>
> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :
>>
>> Hello guys,
>>
>> I get this error when trying to join PF to an Active Directory
>> Server:
>>
>> [root@pfence pf]# tail -f
>> /chroots/MYDOMAIN/var/log/sambaMYDOMAIN/log.winbindd
>> [2017/08/23 02:20:34.196193,  0]
>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>> [2017/08/23 02:20:34.196275,  0]
>> ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
>>   unable to initialize domain list
>> [2017/08/23 02:20:34.324267,  0]
>> ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
>>   initialize_winbindd_cache: clearing cache and re-creating with
>> version number 2
>> [2017/08/23 02:20:34.333731,  0]
>> ../source3/winbindd/winbindd_util.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>>
>> [root@pfence pf]#
>>
>> Below is my domain.conf file:
>>
>> [MYDOMAIN]
>> 
>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2
>> ntlm_cache=disabled
>> registration=0
>> ntlm_cache_expiry=3600
>> dns_name=egelsbach.testmawoh.de 
>> dns_servers=172.16.7.10
>> ou=Computers
>> ntlm_cache_on_connection=disabled
>> workgroup=TESTMAWOH
>> ntlm_cache_batch_one_at_a_time=disabled
>> sticky_dc=*
>> ad_server=winserver.egelsbach.testmawoh.de
>> 
>> ntlm_cache_batch=disabled
>> server_name=pfence
>> bind_pass=
>> bind_dn=
>>
>> [root@pfence pf]# ps -efd | grep winbindd
>> root 20052 1  7 04:15 ?00:00:14 winbindd-wrapper
>> root 21912 20052  1 04:18 ?00:00:00 sudo chroot
>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf
>> -l /var/log/sambaMYDOMAIN --foreground
>> root 21913 21912  0 04:18 ?00:00:00
>> /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>> /var/log/sambaMYDOMAIN --foreground
>> root 21915  4173  0 04:18 ttyS000:00:00 grep --color=auto
>> winbindd
>>
>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
>> service|shouldBeStarted|pid
>> winbindd|1|20052
>> [root@pfence pf]#
>>
>> There is reachability between PF, the AD and DNS servers and all
>> can resolve DNS queries. 
>>
>> I have tried everything but just refuses to bind..Whatelse could
>> be wrong pls?
>>
>>
>> Regards,
>> Kehinde
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>

Re: [PacketFence-users] Multiple Nessus scan policies possible on PF?

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hello Fabrice,

Basically what I was trying to ask is if it's possible to attache more than
1 scan policy to a Nessus scan engine. Don't think it's possible. Except
you create another engine with another policy, and attach both scan engines
in the connection profile.

scan.conf

[ENGINE1]
ip=172.16.100.10
scannername=Local Scanner
duration=30s
categories=staff
port=8834
registration=1
username=nessusadmin
post_registration=1
password=pass
pre_registration=0
oses=202,1
nessus_clientpolicy=basic
type=nessus6

[ENGINE2]
ip=172.16.100.10
scannername=Local Scanner
duration=30s
categories=staff
port=8834
registration=1
username=nessusadmin
post_registration=1
password=pass
pre_registration=0
oses=202,1
nessus_clientpolicy=wannacry
type=nessus6

Profile.conf

[SNS]
filter=port:7,port:8
description=SNS PROFILE
sources=LDAP
redirecturl=http://www.mawoh.de
logo=/common/mawoh.png
root_module=SNS_PORTAL
access_registration_when_registered=enabled
scans=ENGINE1,ENGINE2

Regards,
Kehinde

On Wed, Aug 23, 2017 at 4:47 AM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Akala,
>
> yes, based on the os.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-08-18 à 15:44, Akala Kehinde via PacketFence-users a écrit :
>
> Hello guys.
>
> Will like to know if it's possible to have more than 1 nessus scan policy
> configured on PF.
>
> Regards,
> Kehinde
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Disable Self Registration on PacketFence 7.2

2017-08-23 Thread Chandra Ardi Sancaka via PacketFence-users 
Hi Guys,

I’m new to this application, so I got a question, it’s a simple one, but I 
couldn’t find the right answer to my problem.

The question is same as the subject : How to disable self registration on PF7.2

And anyone can point me to the right direction to solve this one to : unable to 
detect network connectivity. I’v done a little on the web, someone solved it 
but doesn’t explain how to.

Please just please help me

Regards,

Chandra.

Sent from Mail for Windows 10

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hello Fabrice,

Kindly see below:

[root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users
[root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
Error looking up domain groups
[root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
[root@pfence pf]#
[root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
[root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
Ping to winbindd failed
could not ping winbindd!
[root@pfence pf]#


Tested with TESTMAWOH.DE but still cannot join..
It's driving me nuts:)

Regards,
Kehinde

On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello Akala,
>
> what happen if you do that:
>
> chroot /chroots/MYDOMAIN
>
> wbinfo -u
>
> wbinfo -g
>
> if there is no usernames or groups displayed then try :
>
> dns_name=TESTMAWOH.DE
> and rejoin
>
> Regards
> Fabrice
>
>
> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :
>
>
> Hello guys,
>
> I get this error when trying to join PF to an Active Directory Server:
>
> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/
> sambaMYDOMAIN/log.winbindd
> [2017/08/23 02:20:34.196193,  0] ../source3/winbindd/winbindd_
> util.c:869(init_domain_list)
>   Could not fetch our SID - did we join?
> [2017/08/23 02:20:34.196275,  0] ../source3/winbindd/winbindd.
> c:1408(winbindd_register_handlers)
>   unable to initialize domain list
> [2017/08/23 02:20:34.324267,  0] ../source3/winbindd/winbindd_
> cache.c:3245(initialize_winbindd_cache)
>   initialize_winbindd_cache: clearing cache and re-creating with version
> number 2
> [2017/08/23 02:20:34.333731,  0] ../source3/winbindd/winbindd_
> util.c:869(init_domain_list)
>   Could not fetch our SID - did we join?
>
> [root@pfence pf]#
>
> Below is my domain.conf file:
>
> [MYDOMAIN]
> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(
> userAccountControl:1.2.840.113556.1.4.803:=2
> ntlm_cache=disabled
> registration=0
> ntlm_cache_expiry=3600
> dns_name=egelsbach.testmawoh.de
> dns_servers=172.16.7.10
> ou=Computers
> ntlm_cache_on_connection=disabled
> workgroup=TESTMAWOH
> ntlm_cache_batch_one_at_a_time=disabled
> sticky_dc=*
> ad_server=winserver.egelsbach.testmawoh.de
> ntlm_cache_batch=disabled
> server_name=pfence
> bind_pass=
> bind_dn=
>
> [root@pfence pf]# ps -efd | grep winbindd
> root 20052 1  7 04:15 ?00:00:14 winbindd-wrapper
> root 21912 20052  1 04:18 ?00:00:00 sudo chroot
> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
> /var/log/sambaMYDOMAIN --foreground
> root 21913 21912  0 04:18 ?00:00:00 /usr/sbin/winbindd -s
> /etc/samba/MYDOMAIN.conf -l /var/log/sambaMYDOMAIN --foreground
> root 21915  4173  0 04:18 ttyS000:00:00 grep --color=auto winbindd
>
> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
> service|shouldBeStarted|pid
> winbindd|1|20052
> [root@pfence pf]#
>
> There is reachability between PF, the AD and DNS servers and all can
> resolve DNS queries.
>
> I have tried everything but just refuses to bind..Whatelse could be wrong
> pls?
>
>
> Regards,
> Kehinde
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!

Re: [PacketFence-users] Captive portal SSL not using defined cert after PF7 upgrade

2017-08-23 Thread Will Halsall via PacketFence-users 
I just added the intermediate certificate to the cat process:

cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key 
/usr/local/pf/conf/ssl/intermediates.crt >/usr/local/pf/conf/ssl/server.pem



and  uncommented the intermediate certificate in ssl-certificates.conf
Packetfence/conf/httpd.conf.d/ssl-certificates.conf:SSLCertificateChainFile 
%%install_dir%%/conf/ssl/intermediates.crt


See if that helps










From: Thomas, Gregory A via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Tuesday, August 22, 2017 8:21 PM
To: packetfence-users@lists.sourceforge.net
Cc: Thomas, Gregory A
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert 
after PF7 upgrade

I know this is an older post but I am having some problems with the cert 
getting to the user's computer.

I have concatenated the crt and key file to a pem. The thing is, I am using a 
wild card cert with a chain so on some machines the user is seeing an error of 
an invalid cert. When looking at the cert they are seeing it is from *.uwp.edu 
(which is the valid name) I am guessing it is invalid because it is missing the 
chain crt.

Is there any way to include the chain in the pem file?

--
Gregory A. Thomas
Student Life Support Specialist
University of Wisconsin-Parkside
thom...@uwp.edu
262.595.2432

From: Virginie Girou [mailto:virginie.gi...@ut-capitole.fr]
Sent: Tuesday, May 2, 2017 3:27 AM
To: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert 
after PF7 upgrade

Hello,

thank you it works now !


Virginie Girou

Equipe systeme

DSI - UT1 Capitole

Tel : +33 (0)5.61.63.39.19
Le 28/04/2017 23:53, Sokolowski, Darryl a écrit :
Fantastic!
We're up and running!
Thanks again to all for your help!

Darryl

From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: Friday, April 28, 2017 5:46 PM
To: 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive portal SSL not using defined cert 
after PF7 upgrade


On Apr 28, 2017, at 5:25 PM, Sokolowski, Darryl 
> wrote:

Oh, ok, now I understand what Fabrice meant about haproxy terminating the ssl 
tunnel. Thanks for that explanation.
Sorry, I didn't pick that up right away.

I changed var/conf/haproxy.conf to point at my certificates, and every time I 
restart the service, it rewrites haproxy.conf file back to using server.pem.


That's the expected behaviour.
That file is actually generated based on your configuration, every time your 
start the service.



So reading your response again, it sounds like my concatenated certificate 
might need to be named 'server.pem'.
If I rename my certificate to 'server.pem', it works as desired.
Is that the way to do it? Or am I still off-base?


That's the way to go.



'server.pem' won't get overwritten by an ugrade?


This is what the packetfence.spec file does:


#Make ssl certificate

if [ ! -f /usr/local/pf/conf/ssl/server.crt ]; then

openssl req -x509 -new -nodes -days 365 -batch\

-out /usr/local/pf/conf/ssl/server.crt\

-keyout /usr/local/pf/conf/ssl/server.key\

-nodes -config /usr/local/pf/conf/openssl.cnf

cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key > 
/usr/local/pf/conf/ssl/server.pem

fi
So as long as you have a file named  "/usr/local/pf/conf/ssl/server.crt" it 
won't overwrite the server.pem.





I agree that this should be configurable.
I'm adding it to the whishlist for 7.1 or 7.2.



Regards,
--
Louis Munro
lmu...@inverse.ca  ::  
www.inverse.ca
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and 
PacketFence (www.packetfence.org)




>>> CONFIDENTIALITY NOTICE <<<

This electronic mail (e-mail) message, including any and/or all attachments, is 
for the sole use of the intended recipient(s), and may contain confidential 
and/or privileged information, pertaining to business conducted under the 
direction and supervision of EarthColor, Inc. All e-mail messages, which may 
have been established as expressed views and/or opinions (stated either within 
the e-mail message or any of its attachments), are left to the sole 
responsibility of that of the sender, and are not necessarily attributed to 
EarthColor, Inc. Unauthorized interception, review, use, disclosure or 
distribution of any such information contained within this e-mail message 
and/or its attachment(s), is(are) strictly prohibited. If you are not the 
intended recipient, please contact the sender by replying to this e-mail 
message, along with the destruction of all copies of the original e-mail 
message (along with any attachments).

Re: [PacketFence-users] PF just refuses to join AD domain??

2017-08-23 Thread Akala Kehinde via PacketFence-users 
Hell Fabrice,

And actually the FQDN of my domain name is EGELSBACH.TESTMAWOH.DE and not
TESTMAWOH.DE. None works for me.

Regards,
Kehinde

On Wed, Aug 23, 2017 at 8:38 AM, Akala Kehinde 
wrote:

> Hello Fabrice,
>
> Kindly see below:
>
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -g
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
> Error looking up domain groups
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -t
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the trust secret for domain (null) via RPC calls failed
> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
> Could not check secret
> [root@pfence pf]#
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -P
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the NETLOGON for domain[] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> [root@pfence pf]# chroot /chroots/MYDOMAIN wbinfo -p
> Ping to winbindd failed
> could not ping winbindd!
> [root@pfence pf]#
>
>
> Tested with TESTMAWOH.DE but still cannot join..
> It's driving me nuts:)
>
> Regards,
> Kehinde
>
> On Wed, Aug 23, 2017 at 4:44 AM, Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello Akala,
>>
>> what happen if you do that:
>>
>> chroot /chroots/MYDOMAIN
>>
>> wbinfo -u
>>
>> wbinfo -g
>>
>> if there is no usernames or groups displayed then try :
>>
>> dns_name=TESTMAWOH.DE
>> and rejoin
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2017-08-22 à 22:21, Akala Kehinde via PacketFence-users a écrit :
>>
>>
>> Hello guys,
>>
>> I get this error when trying to join PF to an Active Directory Server:
>>
>> [root@pfence pf]# tail -f /chroots/MYDOMAIN/var/log/samb
>> aMYDOMAIN/log.winbindd
>> [2017/08/23 02:20:34.196193,  0] ../source3/winbindd/winbindd_u
>> til.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>> [2017/08/23 02:20:34.196275,  0] ../source3/winbindd/winbindd.c
>> :1408(winbindd_register_handlers)
>>   unable to initialize domain list
>> [2017/08/23 02:20:34.324267,  0] ../source3/winbindd/winbindd_c
>> ache.c:3245(initialize_winbindd_cache)
>>   initialize_winbindd_cache: clearing cache and re-creating with version
>> number 2
>> [2017/08/23 02:20:34.333731,  0] ../source3/winbindd/winbindd_u
>> til.c:869(init_domain_list)
>>   Could not fetch our SID - did we join?
>>
>> [root@pfence pf]#
>>
>> Below is my domain.conf file:
>>
>> [MYDOMAIN]
>> ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(u
>> serAccountControl:1.2.840.113556.1.4.803:=2
>> ntlm_cache=disabled
>> registration=0
>> ntlm_cache_expiry=3600
>> dns_name=egelsbach.testmawoh.de
>> dns_servers=172.16.7.10
>> ou=Computers
>> ntlm_cache_on_connection=disabled
>> workgroup=TESTMAWOH
>> ntlm_cache_batch_one_at_a_time=disabled
>> sticky_dc=*
>> ad_server=winserver.egelsbach.testmawoh.de
>> ntlm_cache_batch=disabled
>> server_name=pfence
>> bind_pass=
>> bind_dn=
>>
>> [root@pfence pf]# ps -efd | grep winbindd
>> root 20052 1  7 04:15 ?00:00:14 winbindd-wrapper
>> root 21912 20052  1 04:18 ?00:00:00 sudo chroot
>> /chroots/MYDOMAIN /usr/sbin/winbindd -s /etc/samba/MYDOMAIN.conf -l
>> /var/log/sambaMYDOMAIN --foreground
>> root 21913 21912  0 04:18 ?00:00:00 /usr/sbin/winbindd -s
>> /etc/samba/MYDOMAIN.conf -l /var/log/sambaMYDOMAIN --foreground
>> root 21915  4173  0 04:18 ttyS000:00:00 grep --color=auto winbindd
>>
>> [root@pfence pf]# /usr/local/pf/bin/pfcmd service winbindd status
>> service|shouldBeStarted|pid
>> winbindd|1|20052
>> [root@pfence pf]#
>>
>> There is reachability between PF, the AD and DNS servers and all can
>> resolve DNS queries.
>>
>> I have tried everything but just refuses to bind..Whatelse could be wrong
>> pls?
>>
>>
>> Regards,
>> Kehinde
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>