[Samba] Samba4 - Win7 RSAT tools - global catalog (GC) cannot be contacted

Sun Jun 16 04:12:40 MDT 2013

Fresh install of 4.0.6 from source on CentOS 6 minimal.  Provisioning 
worked fine as did adding a Win7 Pro machine to the domain.  Now trying 
to use the RSAT (Remote System Administration Tools), specifically the 
Active Directory Users and Computers tool.

When looking at the properties for the "Administrator" account, clicking 
on the "Member Of" tab results in a 30 second wait, then the error 
message of "global catalog (GC) cannot be contacted".

Once I click through the error message, it displays the groups that the 
account is a member of.

Config file is:

# Global parameters
[global]
         workgroup = EXAMPLE
         realm = HQ.EXAMPLE.COM
         netbios name = ATHENS
         server role = active directory domain controller
         dns forwarder = 172.30.0.1

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/hq.example.com/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

My guess is that this is an iptables error, although I followed the 
instructions on the wiki to open up the appropriate ports.  Not sure 
what port/protocol I missed.

https://wiki.samba.org/index.php/Configure_your_firewall

/etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:6932]
:NFSCHECK - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -j NFSCHECK
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 
2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 
2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -j RETURN
COMMIT
# Completed on Fri May 24 21:51:36 2013