Samba 4.0 AD DC firewall ports

Jon Reeves jon at
Fri Dec 28 15:16:51 MST 2012

That's a useful link, and NTP should definitely be open.  I think we should
be aiming for secure by default but can see that further research is
required and quite possibly is dependent on the external windows
environment - for instance, someone pointed out to me that the NETBIOS
ports probably aren't necessary anymore and after closing udp 137:138 and
tcp 139, everything appears to still be working correctly.

Of course, this is just a test environment and I only have one DC and one
Windows 7 client so it may well be that more ports are required for other
client OSes or multiple DCs, sites, etc.  I will start reading up...

On 28 December 2012 22:05, Andrew Bartlett <abartlet at> wrote:

> On Fri, 2012-12-28 at 19:59 +0000, Jon Reeves wrote:
> > Hi all,
> >
> > I've just successfully set up a Samba 4 DC on Centos 6.3 but found a few
> > things that I think should be added to the How To page on the wiki.
> >
> > First off, can we add a section on what ports need to be opened?  I got
> > most of it working from a quick Google, only to find several hours later
> > that the Global Catalog could not be contacted.  Here are my iptables
> rules
> > that I think cover everything:
> >
> > -A INPUT -p tcp -m tcp --dport 3268 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 1024 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 389 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 464 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 88 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 135 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> One warning on trying to pin this down to a static list of ports.
> Samba, like Windows, supports dynamic RPC services.  The '1024' above is
> actually a dynamic port, and if something else occupies 1024 for some
> reason, it will be a different port.
> We don't just let the kernel allocate it, in the hope that we can grab
> 1024 (we literally walk up from 1024) but it isn't certain.
> a good list, and shows that you missed NTP (123) in the above.
> An on-by-default firewall is a good thing in general, but my general
> feeling is that you should first work out why you have a firewall
> between your AD clients and your AD DC, and then be ready to deal with
> the consequences, because they can be subtle.
> Of course, if your AD DC is on a hostile network, first fix that :-)
> Andrew Bartlett
> --
> Andrew Bartlett                      
> Authentication Developer, Samba Team 

More information about the samba-technical mailing list