[Samba] Samba AD firewalld services

L.P.H. van Belle belle at bazuin.nl
Thu Aug 27 13:58:45 UTC 2015 

mDNS is not DNS 
mDNS (zeroconf/avahi) ( used for .local and .lan reserved tlds ) is an apple thingy.. 

mDNS udp 5353
DNS tcp/udp 53. 

Yes, dns tcp + udp. 

If and dns udp package is to large it switches to tcp. 
got that from wiets ( the postfix developer ) 
So i must believe him..  wiets is great.. ( and dutch )  :-))  

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
>Robert Moskowitz
>Verzonden: donderdag 27 augustus 2015 15:49
>Aan: Rowland Penny; samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba AD firewalld services
>
>Oh, this really helps.  See below, though.
>
>On 08/27/2015 09:33 AM, Rowland Penny wrote:
>> On 27/08/15 14:25, Robert Moskowitz wrote:
>>> Progress...
>>>
>>> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:
>>>> After reading this thread.. and ..seeing the comments..
>>>>
>>>> I googled a bit around. and yes.. more then 5 sec..  ;-)
>>>>
>>>> I wonder why almost every "centos/redhat/rpm based" howto removes 
>>>> firewalld with the base iptables service
>>>> now, i'm not "pro" systemd or con systemd, i use it but i set my 
>>>> firewall with ufw,
>>>> which is much more flexable in my opinion.
>>>> I just dont care about how it starts.. as long as it works..
>>>>
>>>> so i found this one..
>>>> http://www.certdepot.net/rhel7-get-started-firewalld/
>>>> looks very nice, it explains all.
>>>> base on that, howto create a "samba4-ad" service with 
>multiple ports 
>>>> in it.
>>>> or better, split it up in to..
>>>> samba4-kerberos
>>>> samba4-smbd
>>>> samba4-nmbd
>>>> etc..
>>>
>>> I have looked at the actual /usr/lib/firewalld/services xml 
>files and 
>>> find that I should use:
>>>
>>> samba kerberos kpasswd dns ldap ldaps
>>>
>>> And need to create services for tcp ports 135 (rpc) and 3268 (MS 
>>> Global Catalog), or just do those as ports.
>>>
>>> Still to be worked out are:
>>>
>>> what about ldap and ldaps over udp?  And do I need a rule 
>for port 1024?
>>>
>>> thanks
>>>
>>>>
>>>> The only thing i cant see there in the "HAProxy example" is you can
>>>> add multiple "port / protools" in there.
>>>> thats up to you.
>>>>
>>>> but i think you wil manage that.
>>>>
>>>> .. side note..
>>>> Firewalling is not really a samba topic.. but we are all (yes 
>>>> Rowland to) happy to help you..
>>>> ;-)  Rowland is just not a "fan" of systemd..  ROFL...
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair
>>>>> Verzonden: donderdag 27 augustus 2015 14:01
>>>>> Aan: Robert Moskowitz
>>>>> CC: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Samba AD firewalld services
>>>>>
>>>>> The services and their port numbers and protocols are defined in
>>>>> /etc/services. You should be able to use that file to map from
>>>>> port numbers
>>>>> to services if you want to use the service names instead. 
>This is not
>>>>> something new with firewalld, iptables has had this option
>>>>> forever as well.
>>>>>
>>>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz
>>>>> <rgm at htt-consult.com>
>>>>> wrote:
>>>>>
>>>>>> Now with firewalld, opening up ports is now 'better' 
>done by opening
>>>>>> services.  So what do I need, for starters it seems:
>>>>>>
>>>>>> dns, dhcp, dhcpv6, samba, kerberos
>>>>>>
>>>>>> Here is the list of services:
>>>>>>
>>>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6
>>>>>> dhcpv6-client dns
>>>>>> ftp high-availability http https imaps ipp ipp-client 
>ipsec kerberos
>>>>>> kpasswd ldap
>>>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp
>>>>> openvpn pmcd
>>>>>> pmproxy
>>>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius 
>rpc-bind samba
>>>>>> samba-client
>>>>>> smtp ssh telnet tftp tftp-client transmission-client
>>>>> vnc-server wbem-https
>>>>>> I will only be running one AD, but a number of file 
>servers (which in
>>>>>> Samba4 are really DCs without some services?) .
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL 
>and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>> Ah, This might help: 
>> https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
>
>There it is!  Shows my weak search foo.  Answers the udp ldap/s 
>question. Couple new questions though.
>
>mDNS?  Even if you are running DHCP which provides the Nameserver 
>address?  And again, the firewalld mdns service only specifies 
>udp; no tcp.
>
>And what to do for ports 1024-5000?  Open one?  Open a few?
>
>
>>
>> Didn't know it was there (probably because it wasn't, three days ago 
>> :-D     )
>
>I suspect it was there, only edited 3 days ago.
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list