[Samba] Samba AD firewalld services

Thu Aug 27 14:07:57 UTC 2015

On 08/27/2015 09:58 AM, L.P.H. van Belle wrote:
> mDNS is not DNS
> mDNS (zeroconf/avahi) ( used for .local and .lan reserved tlds ) is an apple thingy..
>
> mDNS udp 5353
> DNS tcp/udp 53.
>
> Yes, dns tcp + udp.
>
> If and dns udp package is to large it switches to tcp.

DNS over tcp I have known and dealt with for a long time.  No problem 
there.  Just mDNS over tcp.  But you can see it for the same reasoning.  
So that is probably a bug in the firewalld mDNS service rule.

> got that from wiets ( the postfix developer )
> So i must believe him..  wiets is great.. ( and dutch )  :-))

He has been a great help on my mailserver work in the past.  As far as 
dutch, Amsterdam is my 'port' of call when I have an EU conference.  I 
have friends in Amstelveen that I stay with over the weekend.  Love my 
walk along an eco-canal to the Amstel river and the Rembrandt statue.

>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Robert Moskowitz
>> Verzonden: donderdag 27 augustus 2015 15:49
>> Aan: Rowland Penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba AD firewalld services
>>
>> Oh, this really helps.  See below, though.
>>
>> On 08/27/2015 09:33 AM, Rowland Penny wrote:
>>> On 27/08/15 14:25, Robert Moskowitz wrote:
>>>> Progress...
>>>>
>>>> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:
>>>>> After reading this thread.. and ..seeing the comments..
>>>>>
>>>>> I googled a bit around. and yes.. more then 5 sec..  ;-)
>>>>>
>>>>> I wonder why almost every "centos/redhat/rpm based" howto removes
>>>>> firewalld with the base iptables service
>>>>> now, i'm not "pro" systemd or con systemd, i use it but i set my
>>>>> firewall with ufw,
>>>>> which is much more flexable in my opinion.
>>>>> I just dont care about how it starts.. as long as it works..
>>>>>
>>>>> so i found this one..
>>>>> http://www.certdepot.net/rhel7-get-started-firewalld/
>>>>> looks very nice, it explains all.
>>>>> base on that, howto create a "samba4-ad" service with
>> multiple ports
>>>>> in it.
>>>>> or better, split it up in to..
>>>>> samba4-kerberos
>>>>> samba4-smbd
>>>>> samba4-nmbd
>>>>> etc..
>>>> I have looked at the actual /usr/lib/firewalld/services xml
>> files and
>>>> find that I should use:
>>>>
>>>> samba kerberos kpasswd dns ldap ldaps
>>>>
>>>> And need to create services for tcp ports 135 (rpc) and 3268 (MS
>>>> Global Catalog), or just do those as ports.
>>>>
>>>> Still to be worked out are:
>>>>
>>>> what about ldap and ldaps over udp?  And do I need a rule
>> for port 1024?
>>>> thanks
>>>>
>>>>> The only thing i cant see there in the "HAProxy example" is you can
>>>>> add multiple "port / protools" in there.
>>>>> thats up to you.
>>>>>
>>>>> but i think you wil manage that.
>>>>>
>>>>> .. side note..
>>>>> Firewalling is not really a samba topic.. but we are all (yes
>>>>> Rowland to) happy to help you..
>>>>> ;-)  Rowland is just not a "fan" of systemd..  ROFL...
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair
>>>>>> Verzonden: donderdag 27 augustus 2015 14:01
>>>>>> Aan: Robert Moskowitz
>>>>>> CC: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Samba AD firewalld services
>>>>>>
>>>>>> The services and their port numbers and protocols are defined in
>>>>>> /etc/services. You should be able to use that file to map from
>>>>>> port numbers
>>>>>> to services if you want to use the service names instead.
>> This is not
>>>>>> something new with firewalld, iptables has had this option
>>>>>> forever as well.
>>>>>>
>>>>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz
>>>>>> <rgm at htt-consult.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Now with firewalld, opening up ports is now 'better'
>> done by opening
>>>>>>> services.  So what do I need, for starters it seems:
>>>>>>>
>>>>>>> dns, dhcp, dhcpv6, samba, kerberos
>>>>>>>
>>>>>>> Here is the list of services:
>>>>>>>
>>>>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6
>>>>>>> dhcpv6-client dns
>>>>>>> ftp high-availability http https imaps ipp ipp-client
>> ipsec kerberos
>>>>>>> kpasswd ldap
>>>>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp
>>>>>> openvpn pmcd
>>>>>>> pmproxy
>>>>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius
>> rpc-bind samba
>>>>>>> samba-client
>>>>>>> smtp ssh telnet tftp tftp-client transmission-client
>>>>>> vnc-server wbem-https
>>>>>>> I will only be running one AD, but a number of file
>> servers (which in
>>>>>>> Samba4 are really DCs without some services?) .
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL
>> and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>
>>> Ah, This might help:
>>> https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
>> There it is!  Shows my weak search foo.  Answers the udp ldap/s
>> question. Couple new questions though.
>>
>> mDNS?  Even if you are running DHCP which provides the Nameserver
>> address?  And again, the firewalld mdns service only specifies
>> udp; no tcp.
>>
>> And what to do for ports 1024-5000?  Open one?  Open a few?
>>
>>
>>> Didn't know it was there (probably because it wasn't, three days ago
>>> :-D     )
>> I suspect it was there, only edited 3 days ago.
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>