samba - Jun 2013 - Samba4 - Win7 RSAT tools - global catalog (GC) cannot be contacted

Fresh install of 4.0.6 from source on CentOS 6 minimal.  Provisioning 
worked fine as did adding a Win7 Pro machine to the domain.  Now trying 
to use the RSAT (Remote System Administration Tools), specifically the 
Active Directory Users and Computers tool.

When looking at the properties for the "Administrator" account,
clicking
on the "Member Of" tab results in a 30 second wait, then the error 
message of "global catalog (GC) cannot be contacted".

Once I click through the error message, it displays the groups that the 
account is a member of.

Config file is:

# Global parameters
[global]
         workgroup = EXAMPLE
         realm = HQ.EXAMPLE.COM
         netbios name = ATHENS
         server role = active directory domain controller
         dns forwarder = 172.30.0.1

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/hq.example.com/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

My guess is that this is an iptables error, although I followed the 
instructions on the wiki to open up the appropriate ports.  Not sure 
what port/protocol I missed.

https://wiki.samba.org/index.php/Configure_your_firewall

/etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:6932]
:NFSCHECK - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -j NFSCHECK
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 
2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 
2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, 
statd, portmap" -j ACCEPT
-A NFSCHECK -j RETURN
COMMIT
# Completed on Fri May 24 21:51:36 2013

Hello Thomas,

Am 16.06.2013 12:12, schrieb Thomas Harold:
> When looking at the properties for the "Administrator" account,
clicking
> on the "Member Of" tab results in a 30 second wait, then the
error
> message of "global catalog (GC) cannot be contacted".
The global catalog uses port 3268/tcp, which wasn't listed in your 
iptables command list.

I added it to the Wiki page, too.



Wether something else is missing, you can see, if you check on which 
ports the Samba daemons are listening:

# netstat -taunp | egrep "tcp.*LISTEN|udp" | grep
"samba|smbd"


Regards,
Marc