Samba 4.0 AD DC firewall ports

Andrew Bartlett abartlet at samba.org
Fri Dec 28 15:05:33 MST 2012 

On Fri, 2012-12-28 at 19:59 +0000, Jon Reeves wrote:
> Hi all,
> 
> I've just successfully set up a Samba 4 DC on Centos 6.3 but found a few
> things that I think should be added to the How To page on the wiki.
> 
> First off, can we add a section on what ports need to be opened?  I got
> most of it working from a quick Google, only to find several hours later
> that the Global Catalog could not be contacted.  Here are my iptables rules
> that I think cover everything:
> 
> -A INPUT -p tcp -m tcp --dport 3268 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 1024 -j ACCEPT
> -A INPUT -p udp -m udp --dport 389 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 464 -j ACCEPT
> -A INPUT -p udp -m udp --dport 88 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 135 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
> -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT

One warning on trying to pin this down to a static list of ports.
Samba, like Windows, supports dynamic RPC services.  The '1024' above is
actually a dynamic port, and if something else occupies 1024 for some
reason, it will be a different port.

We don't just let the kernel allocate it, in the hope that we can grab
1024 (we literally walk up from 1024) but it isn't certain.

http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx gives a good list, and shows that you missed NTP (123) in the above. 

An on-by-default firewall is a good thing in general, but my general
feeling is that you should first work out why you have a firewall
between your AD clients and your AD DC, and then be ready to deal with
the consequences, because they can be subtle.  

Of course, if your AD DC is on a hostile network, first fix that :-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list