Hi,
unfortunately I just found enough time to check your suggestions:
I added a static route to direct traffic from 169.254.0.0/30 to my pf
machine (10.0.1.2).
I tried to find my dc but with no luck.
When enabling the debug mode I could see that I am getting the correct DNS
entries back (however not complete as my DC has thee IPs 10.0.0.101 &
10.0.1.101 and I am only getting the first one) but am not able to
connect...
The port to which the connection should be established is in fact open.
In the log below I replaced the Domains with the generic domain <domain>.
My workgroup is basically my domain without the tld, just to avoid
confusion.
net ads info -s /etc/samba/<DomainID>.conf -d 10 returned:
INFO: Current debug levels:
all: 10
[...]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
INFO: Current debug levels:
[...]
Processing section "[global]"
doing parameter workgroup = <WORKGROUP>
doing parameter realm = <domain>
doing parameter netbios name = localhost
doing parameter server string = localhost
doing parameter pid directory = /usr/local/pf/var/run/<DomainID>
doing parameter lock directory = /var/cache/samba
doing parameter private dir = /var/cache/samba
doing parameter security = ADS
doing parameter winbind use default domain = no
doing parameter idmap uid = 600-20000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 600-20000
WARNING: The "idmap gid" option is deprecated
doing parameter template shell = /bin/bash
doing parameter winbind expand groups = 10
doing parameter password server = *
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter inherit permissions = yes
doing parameter admin users = @<WORKGROUP>\"domain admins"
doing parameter hide files =
/~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
doing parameter veto files = /lost+found/
doing parameter allow trusted domains = yes
doing parameter show add printer wizard = no
doing parameter disable spoolss = yes
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter usershare max shares = 0
doing parameter browseable = no
doing parameter guest ok = no
doing parameter machine password timeout = 0
doing parameter client ipc signing = auto
pm_process() returned Yes
lp_servicenumber: couldn't find homes
messaging_dgm_ref: messaging_dgm_init returned Erfolg
messaging_dgm_ref: unique = 16363321606826345832
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
messaging_init: my id: 26541
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
INFO: Current debug levels:
[...]
Processing section "[global]"
doing parameter workgroup = <WORKGROUP>
doing parameter realm = <domain>
doing parameter netbios name = localhost
doing parameter server string = localhost
doing parameter pid directory = /usr/local/pf/var/run/<DomainID>
doing parameter lock directory = /var/cache/samba
doing parameter private dir = /var/cache/samba
doing parameter security = ADS
doing parameter winbind use default domain = no
doing parameter idmap uid = 600-20000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 600-20000
WARNING: The "idmap gid" option is deprecated
doing parameter template shell = /bin/bash
doing parameter winbind expand groups = 10
doing parameter password server = *
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
doing parameter inherit permissions = yes
doing parameter admin users = @<WORKGROUP>\"domain admins"
doing parameter hide files =
/~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
doing parameter veto files = /lost+found/
doing parameter allow trusted domains = yes
doing parameter show add printer wizard = no
doing parameter disable spoolss = yes
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter usershare max shares = 0
doing parameter browseable = no
doing parameter guest ok = no
doing parameter machine password timeout = 0
doing parameter client ipc signing = auto
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="LOCALHOST"
added interface ens192 ip=fda1:29bf:c056:4202:20c:29ff:fe85:5771
bcast= netmask=ffff:ffff:ffff:ffff::
added interface ens224 ip=fda1:29bf:c056:4202:20c:29ff:fe85:577b
bcast= netmask=ffff:ffff:ffff:ffff::
added interface <DomainID>-b ip=169.254.0.2 bcast=169.254.0.3
netmask=255.255.255.252
added interface ens224.100 ip=10.0.0.2 bcast=10.0.0.255
netmask=255.255.255.0
added interface ens192 ip=10.0.1.2 bcast=10.0.1.255
netmask=255.255.255.0
added interface ens224.102 ip=10.0.2.2 bcast=10.0.2.255
netmask=255.255.255.0
added interface ens224.103 ip=10.0.3.1 bcast=10.0.3.255
netmask=255.255.255.0
added interface ens224.109 ip=10.0.9.2 bcast=10.0.9.255
netmask=255.255.255.0
added interface ens224.254 ip=10.0.254.2 bcast=10.0.254.255
netmask=255.255.255.0
added interface ens224 ip=10.0.255.2 bcast=10.0.255.255
netmask=255.255.255.0
added interface ens224.10 ip=10.1.0.2 bcast=10.1.255.255
netmask=255.255.0.0
added interface ens224.20 ip=10.2.0.2 bcast=10.2.255.255
netmask=255.255.0.0
added interface ens224.30 ip=10.3.0.2 bcast=10.3.255.255
netmask=255.255.0.0
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/cache/samba/gencache_notrans.tdb
Adding cache entry with key=[AD_SITENAME/DOMAIN/<DOMAIN>] and
timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past)
Could not get allrecord lock on gencache_notrans.tdb: Locking error
sitename_fetch: No stored sitename for realm '<DOMAIN>'
resolve_and_ping_dns: (cldap) looking for realm '<DOMAIN>'
get_sorted_dc_list: attempting lookup for name <DOMAIN> (sitename
NULL)
Adding cache entry with key=[SAFJOIN/DOMAIN/<DOMAIN>] and
timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past)
Could not get allrecord lock on gencache_notrans.tdb: Locking error
Adding cache entry with key=[SAF/DOMAIN/<DOMAIN>] and timeout=[Do
Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past)
Could not get allrecord lock on gencache_notrans.tdb: Locking error
saf_fetch: failed to find server for "<DOMAIN>" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up <DOMAIN>#1c (sitename (null))
Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Do Jan 1
00:00:00 1970 UTC] (-1579954161 seconds in the past)
no entry for <DOMAIN>#1C found.
resolve_ads: Attempting to resolve DCs for <DOMAIN> using DNS
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed nas0.<domain> [0, 100, 389]
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for <DOMAIN>#1c: 10.0.0.101
Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Do Jan 1
00:00:00 1970 UTC] (-1579954166 seconds in the past)
Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Sa Jan 25
12:20:26 2020 UTC] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 10.0.0.101:389
Adding 1 DC's from auto lookup
Adding cache entry with key=[NEG_CONN_CACHE/<DOMAIN>,10.0.0.101] and
timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954166 seconds in the past)
check_negative_conn_cache returning result 0 for domain <DOMAIN>
server 10.0.0.101
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 10.0.0.101:389
check_negative_conn_cache returning result 0 for domain <DOMAIN>
server 10.0.0.101
ads_try_connect: sending CLDAP request to 10.0.0.101 (realm:
<DOMAIN>)
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 10.0.0.101 failed.
Adding cache entry with key=[NEG_CONN_CACHE/<DOMAIN>,10.0.0.101] and
timeout=[Sa Jan 25 12:10:32 2020 UTC] (60 seconds ahead)
add_failed_connection_entry: added domain <DOMAIN> (10.0.0.101) to
failed conn cache
ads_find_dc: falling back to netbios name resolution for domain
'<WORKGROUP>' (realm '<DOMAIN>')
resolve_and_ping_netbios: (cldap) looking for domain '<WORKGROUP>'
get_sorted_dc_list: attempting lookup for name <WORKGROUP> (sitename
NULL)
Adding cache entry with key=[SAFJOIN/DOMAIN/<WORKGROUP>] and
timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past)
Adding cache entry with key=[SAF/DOMAIN/<WORKGROUP>] and timeout=[Do
Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past)
saf_fetch: failed to find server for "<WORKGROUP>" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up <WORKGROUP>#1c (sitename (null))
Adding cache entry with key=[NBT/<WORKGROUP>#1C] and timeout=[Do Jan
1 00:00:00 1970 UTC] (-1579954172 seconds in the past)
no entry for <WORKGROUP>#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name
<WORKGROUP><0x1c>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
Datei oder Verzeichnis nicht gefunden
resolve_wins: WINS server resolution selected and no WINS servers
listed.
resolve_hosts: not appropriate for name type <0x1c>
name_resolve_bcast: Attempting broadcast lookup for name
<WORKGROUP><0x1c>
tstream_unix_connect failed: Datei oder Verzeichnis nicht gefunden
nmbd not around
[x10]
Adding 0 DC's from auto lookup
get_dc_list: no servers found
ads_find_dc: name resolution for realm '<DOMAIN>' (domain
'<WORKGROUP>') failed: NT_STATUS_NO_LOGON_SERVERS
ads_connect: No logon servers
Adding cache entry with key=[AD_SITENAME/DOMAIN/<DOMAIN>] and
timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past)
sitename_fetch: No stored sitename for realm '<DOMAIN>'
resolve_and_ping_dns: (cldap) looking for realm '<DOMAIN>'
get_sorted_dc_list: attempting lookup for name <DOMAIN> (sitename
NULL)
Adding cache entry with key=[SAFJOIN/DOMAIN/<DOMAIN>] and
timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past)
Adding cache entry with key=[SAF/DOMAIN/<DOMAIN>] and timeout=[Do
Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past)
saf_fetch: failed to find server for "<DOMAIN>" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up <DOMAIN>#1c (sitename (null))
name <DOMAIN>#1C found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Adding 1 DC's from auto lookup
check_negative_conn_cache returning result -1073741823 for domain
<DOMAIN> server 10.0.0.101
get_dc_list: negative entry 10.0.0.101 removed from DC list
remove_duplicate_addrs2: looking for duplicate address/port pairs
get_dc_list: returning 0 ip addresses in an ordered list
get_dc_list:
ads_find_dc: falling back to netbios name resolution for domain
'<WORKGROUP>' (realm '<DOMAIN>')
resolve_and_ping_netbios: (cldap) looking for domain '<WORKGROUP>'
get_sorted_dc_list: attempting lookup for name <WORKGROUP> (sitename
NULL)
saf_fetch: failed to find server for "<WORKGROUP>" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up <WORKGROUP>#1c (sitename (null))
no entry for <WORKGROUP>#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name
<WORKGROUP><0x1c>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was
Datei oder Verzeichnis nicht gefunden
resolve_wins: WINS server resolution selected and no WINS servers
listed.
resolve_hosts: not appropriate for name type <0x1c>
name_resolve_bcast: Attempting broadcast lookup for name
<WORKGROUP><0x1c>
tstream_unix_connect failed: Datei oder Verzeichnis nicht gefunden
nmbd not around
[x10]
Adding 0 DC's from auto lookup
get_dc_list: no servers found
ads_find_dc: name resolution for realm '<DOMAIN>' (domain
'<WORKGROUP>') failed: NT_STATUS_NO_LOGON_SERVERS
ads_connect: No logon servers
Didn't find the ldap server!
return code = -1
msg_dgm_ref_destructor: refs=(nil)
-----Ursprüngliche Nachricht-----
Von: Nicolas Quiniou-Briand via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Gesendet: Montag, 13. Januar 2020 16:08
An: packetfence-users@lists.sourceforge.net
Cc: Nicolas Quiniou-Briand <n...@inverse.ca>
Betreff: Re: [PacketFence-users] Failed to join domain
Hello Christian,
In your domain chroot, try following commands:
#v+
### Check if you can find a DC with your current configuration # net ads
info -s /etc/samba/<mydomain>.conf ## debug # net ads info -s
/etc/samba/<mydomain>.conf -d 10
### Run a domain join manually
# net ads join -s /etc/samba/<mydomain>.conf -U user ## debug # net ads join
-s /etc/samba/<mydomain>.conf -U user -d 10
#v-
To enter in chroot: `chroot /chroots/<mydomain>`.
--
Nicolas Quiniou-Briand
n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca Inverse
inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence
(https://packetfence.org) and Fingerbank (http://fingerbank.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
