Hi, unfortunately I just found enough time to check your suggestions: I added a static route to direct traffic from 169.254.0.0/30 to my pf machine (10.0.1.2). I tried to find my dc but with no luck. When enabling the debug mode I could see that I am getting the correct DNS entries back (however not complete as my DC has thee IPs 10.0.0.101 & 10.0.1.101 and I am only getting the first one) but am not able to connect... The port to which the connection should be established is in fact open. In the log below I replaced the Domains with the generic domain <domain>. My workgroup is basically my domain without the tld, just to avoid confusion.
net ads info -s /etc/samba/<DomainID>.conf -d 10 returned: INFO: Current debug levels: all: 10 [...] lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: [...] Processing section "[global]" doing parameter workgroup = <WORKGROUP> doing parameter realm = <domain> doing parameter netbios name = localhost doing parameter server string = localhost doing parameter pid directory = /usr/local/pf/var/run/<DomainID> doing parameter lock directory = /var/cache/samba doing parameter private dir = /var/cache/samba doing parameter security = ADS doing parameter winbind use default domain = no doing parameter idmap uid = 600-20000 WARNING: The "idmap uid" option is deprecated doing parameter idmap gid = 600-20000 WARNING: The "idmap gid" option is deprecated doing parameter template shell = /bin/bash doing parameter winbind expand groups = 10 doing parameter password server = * doing parameter domain master = no doing parameter local master = no doing parameter preferred master = no doing parameter inherit permissions = yes doing parameter admin users = @<WORKGROUP>\"domain admins" doing parameter hide files = /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/ doing parameter veto files = /lost+found/ doing parameter allow trusted domains = yes doing parameter show add printer wizard = no doing parameter disable spoolss = yes doing parameter load printers = no doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter usershare max shares = 0 doing parameter browseable = no doing parameter guest ok = no doing parameter machine password timeout = 0 doing parameter client ipc signing = auto pm_process() returned Yes lp_servicenumber: couldn't find homes messaging_dgm_ref: messaging_dgm_init returned Erfolg messaging_dgm_ref: unique = 16363321606826345832 Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) messaging_init: my id: 26541 lp_load_ex: refreshing parameters Freeing parametrics: Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: [...] Processing section "[global]" doing parameter workgroup = <WORKGROUP> doing parameter realm = <domain> doing parameter netbios name = localhost doing parameter server string = localhost doing parameter pid directory = /usr/local/pf/var/run/<DomainID> doing parameter lock directory = /var/cache/samba doing parameter private dir = /var/cache/samba doing parameter security = ADS doing parameter winbind use default domain = no doing parameter idmap uid = 600-20000 WARNING: The "idmap uid" option is deprecated doing parameter idmap gid = 600-20000 WARNING: The "idmap gid" option is deprecated doing parameter template shell = /bin/bash doing parameter winbind expand groups = 10 doing parameter password server = * doing parameter domain master = no doing parameter local master = no doing parameter preferred master = no doing parameter inherit permissions = yes doing parameter admin users = @<WORKGROUP>\"domain admins" doing parameter hide files = /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/ doing parameter veto files = /lost+found/ doing parameter allow trusted domains = yes doing parameter show add printer wizard = no doing parameter disable spoolss = yes doing parameter load printers = no doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter usershare max shares = 0 doing parameter browseable = no doing parameter guest ok = no doing parameter machine password timeout = 0 doing parameter client ipc signing = auto pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="LOCALHOST" added interface ens192 ip=fda1:29bf:c056:4202:20c:29ff:fe85:5771 bcast= netmask=ffff:ffff:ffff:ffff:: added interface ens224 ip=fda1:29bf:c056:4202:20c:29ff:fe85:577b bcast= netmask=ffff:ffff:ffff:ffff:: added interface <DomainID>-b ip=169.254.0.2 bcast=169.254.0.3 netmask=255.255.255.252 added interface ens224.100 ip=10.0.0.2 bcast=10.0.0.255 netmask=255.255.255.0 added interface ens192 ip=10.0.1.2 bcast=10.0.1.255 netmask=255.255.255.0 added interface ens224.102 ip=10.0.2.2 bcast=10.0.2.255 netmask=255.255.255.0 added interface ens224.103 ip=10.0.3.1 bcast=10.0.3.255 netmask=255.255.255.0 added interface ens224.109 ip=10.0.9.2 bcast=10.0.9.255 netmask=255.255.255.0 added interface ens224.254 ip=10.0.254.2 bcast=10.0.254.255 netmask=255.255.255.0 added interface ens224 ip=10.0.255.2 bcast=10.0.255.255 netmask=255.255.255.0 added interface ens224.10 ip=10.1.0.2 bcast=10.1.255.255 netmask=255.255.0.0 added interface ens224.20 ip=10.2.0.2 bcast=10.2.255.255 netmask=255.255.0.0 added interface ens224.30 ip=10.3.0.2 bcast=10.3.255.255 netmask=255.255.0.0 Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/cache/samba/gencache_notrans.tdb Adding cache entry with key=[AD_SITENAME/DOMAIN/<DOMAIN>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past) Could not get allrecord lock on gencache_notrans.tdb: Locking error sitename_fetch: No stored sitename for realm '<DOMAIN>' resolve_and_ping_dns: (cldap) looking for realm '<DOMAIN>' get_sorted_dc_list: attempting lookup for name <DOMAIN> (sitename NULL) Adding cache entry with key=[SAFJOIN/DOMAIN/<DOMAIN>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past) Could not get allrecord lock on gencache_notrans.tdb: Locking error Adding cache entry with key=[SAF/DOMAIN/<DOMAIN>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past) Could not get allrecord lock on gencache_notrans.tdb: Locking error saf_fetch: failed to find server for "<DOMAIN>" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up <DOMAIN>#1c (sitename (null)) Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954161 seconds in the past) no entry for <DOMAIN>#1C found. resolve_ads: Attempting to resolve DCs for <DOMAIN> using DNS ads_dns_lookup_srv: 1 records returned in the answer section. ads_dns_parse_rr_srv: Parsed nas0.<domain> [0, 100, 389] remove_duplicate_addrs2: looking for duplicate address/port pairs namecache_store: storing 1 address for <DOMAIN>#1c: 10.0.0.101 Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954166 seconds in the past) Adding cache entry with key=[NBT/<DOMAIN>#1C] and timeout=[Sa Jan 25 12:20:26 2020 UTC] (660 seconds ahead) internal_resolve_name: returning 1 addresses: 10.0.0.101:389 Adding 1 DC's from auto lookup Adding cache entry with key=[NEG_CONN_CACHE/<DOMAIN>,10.0.0.101] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954166 seconds in the past) check_negative_conn_cache returning result 0 for domain <DOMAIN> server 10.0.0.101 remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 10.0.0.101:389 check_negative_conn_cache returning result 0 for domain <DOMAIN> server 10.0.0.101 ads_try_connect: sending CLDAP request to 10.0.0.101 (realm: <DOMAIN>) ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 10.0.0.101 failed. Adding cache entry with key=[NEG_CONN_CACHE/<DOMAIN>,10.0.0.101] and timeout=[Sa Jan 25 12:10:32 2020 UTC] (60 seconds ahead) add_failed_connection_entry: added domain <DOMAIN> (10.0.0.101) to failed conn cache ads_find_dc: falling back to netbios name resolution for domain '<WORKGROUP>' (realm '<DOMAIN>') resolve_and_ping_netbios: (cldap) looking for domain '<WORKGROUP>' get_sorted_dc_list: attempting lookup for name <WORKGROUP> (sitename NULL) Adding cache entry with key=[SAFJOIN/DOMAIN/<WORKGROUP>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past) Adding cache entry with key=[SAF/DOMAIN/<WORKGROUP>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past) saf_fetch: failed to find server for "<WORKGROUP>" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up <WORKGROUP>#1c (sitename (null)) Adding cache entry with key=[NBT/<WORKGROUP>#1C] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954172 seconds in the past) no entry for <WORKGROUP>#1C found. resolve_lmhosts: Attempting lmhosts lookup for name <WORKGROUP><0x1c> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Datei oder Verzeichnis nicht gefunden resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1c> name_resolve_bcast: Attempting broadcast lookup for name <WORKGROUP><0x1c> tstream_unix_connect failed: Datei oder Verzeichnis nicht gefunden nmbd not around [x10] Adding 0 DC's from auto lookup get_dc_list: no servers found ads_find_dc: name resolution for realm '<DOMAIN>' (domain '<WORKGROUP>') failed: NT_STATUS_NO_LOGON_SERVERS ads_connect: No logon servers Adding cache entry with key=[AD_SITENAME/DOMAIN/<DOMAIN>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past) sitename_fetch: No stored sitename for realm '<DOMAIN>' resolve_and_ping_dns: (cldap) looking for realm '<DOMAIN>' get_sorted_dc_list: attempting lookup for name <DOMAIN> (sitename NULL) Adding cache entry with key=[SAFJOIN/DOMAIN/<DOMAIN>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past) Adding cache entry with key=[SAF/DOMAIN/<DOMAIN>] and timeout=[Do Jan 1 00:00:00 1970 UTC] (-1579954173 seconds in the past) saf_fetch: failed to find server for "<DOMAIN>" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up <DOMAIN>#1c (sitename (null)) name <DOMAIN>#1C found. remove_duplicate_addrs2: looking for duplicate address/port pairs Adding 1 DC's from auto lookup check_negative_conn_cache returning result -1073741823 for domain <DOMAIN> server 10.0.0.101 get_dc_list: negative entry 10.0.0.101 removed from DC list remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 0 ip addresses in an ordered list get_dc_list: ads_find_dc: falling back to netbios name resolution for domain '<WORKGROUP>' (realm '<DOMAIN>') resolve_and_ping_netbios: (cldap) looking for domain '<WORKGROUP>' get_sorted_dc_list: attempting lookup for name <WORKGROUP> (sitename NULL) saf_fetch: failed to find server for "<WORKGROUP>" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up <WORKGROUP>#1c (sitename (null)) no entry for <WORKGROUP>#1C found. resolve_lmhosts: Attempting lmhosts lookup for name <WORKGROUP><0x1c> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Datei oder Verzeichnis nicht gefunden resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1c> name_resolve_bcast: Attempting broadcast lookup for name <WORKGROUP><0x1c> tstream_unix_connect failed: Datei oder Verzeichnis nicht gefunden nmbd not around [x10] Adding 0 DC's from auto lookup get_dc_list: no servers found ads_find_dc: name resolution for realm '<DOMAIN>' (domain '<WORKGROUP>') failed: NT_STATUS_NO_LOGON_SERVERS ads_connect: No logon servers Didn't find the ldap server! return code = -1 msg_dgm_ref_destructor: refs=(nil) -----Ursprüngliche Nachricht----- Von: Nicolas Quiniou-Briand via PacketFence-users <packetfence-users@lists.sourceforge.net> Gesendet: Montag, 13. Januar 2020 16:08 An: packetfence-users@lists.sourceforge.net Cc: Nicolas Quiniou-Briand <n...@inverse.ca> Betreff: Re: [PacketFence-users] Failed to join domain Hello Christian, In your domain chroot, try following commands: #v+ ### Check if you can find a DC with your current configuration # net ads info -s /etc/samba/<mydomain>.conf ## debug # net ads info -s /etc/samba/<mydomain>.conf -d 10 ### Run a domain join manually # net ads join -s /etc/samba/<mydomain>.conf -U user ## debug # net ads join -s /etc/samba/<mydomain>.conf -U user -d 10 #v- To enter in chroot: `chroot /chroots/<mydomain>`. -- Nicolas Quiniou-Briand n...@inverse.ca :: +1.514.447.4918 *140 :: https://inverse.ca Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence (https://packetfence.org) and Fingerbank (http://fingerbank.org) _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users