Auth question.

[Ken Cross]

I'm pretty sure that Kerberos uses port 88, but that's just for
authentication.  Port 445 is used for connecting to shares.

We've been running tests blocking ports.  With ports 137 - 139 and 445
blocked for UDP and TCP, the join fails but the computer name is still
entered in the AD.  With just ports 137 - 139 blocked (445 enabled), the
join succeeds and all client share operations seem to function correctly
as long as there is no NetBIOS name resolution involved.

Hope this helps.

Ken


-----Original Message-----
From: samba-technical-admin at lists.samba.org
[mailto:samba-technical-admin at lists.samba.org] On Behalf Of Christopher
R. Hertel
Sent: Wednesday, January 22, 2003 1:42 AM
To: Andrew Bartlett
Cc: samba-technical at samba.org
Subject: Re: Auth question.


On Wed, Jan 22, 2003 at 05:30:45AM +0000, Andrew Bartlett wrote:
> On Tue, Jan 21, 2003 at 09:13:38PM -0600, Christopher R. Hertel wrote:
> > I *think* it's a rule that Kerberos authentication is always used 
> > with
> > SMB over TCP (port 445) and that Kerberos is *not* used with SMB
over NBT 
> > (port 139).
> > 
> > Am I wrong?
> 
> I think you are wrong.  As far as I know there is no per-port stuff.

Quite possibly.  That's why I asked.  :)

...but which clients would actually do this, and under what conditions?

Of the Windows clients and servers, only W2K and XP-pro know how to work
with Kerberos (does /Me handled Kerberos auth?).  I *imagine* that those
systems use port 445 instead of 139 whenever they can.  If both client
and server know how to handle Kerberos then they likely also know how to
use port 445.

So, unless I'm totally insane, the likelihood of Kerberos auth being
used 
over port 139 is low.

Totally Insane -)-----

-- 
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development,
uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org