[Samba] Samba4: The mit list insist that file server and DC must be one and the same

Linda A. Walsh law at tlinx.org
Sat Aug 18 23:09:58 MDT 2012 

steve wrote:
>
> My only remaining question is that to open port 22 on the file server, 
> I've had to open all the other ports otherwise I could not kinit or 
> anything else. Could you/is there a list of ports which need to be 
> open for a S3 fileserver which is also a nfs server to be able to 
> communicate to the rest of the LAN without all ports being opened?
>
> As we have Kerbeors at both ends maybe it would be better to ssh using 
> that?
---
     1) Define "Better" (less work for which people?, faster operation? 
easier to manage?  But with my idea of better for my usage, whichever 
works both 'fast' and reliably,  is easiest to put in place,  and 
requires least overall maintenance in the long run, would be 
considerations -- though for prototyping,
whatever is easiest/fastest to put in place that does the job.

    So sounds like kinit (I'm not a Kerb-familiar person) is a kerb thing
so it probably uses a standard port.  Grepping through my '/etc/services
I see several ports for Kerboros usage -- perhaps kinit or a kerb manual 
documents what is needed?  Either that, or look at what ports are
'owned' by your krb servers -- use netstat as root with "-p" and for each
open port it will show you what prog is using it -- so you can come up 
with a
list for ports that the server(s) are listening on -- now whether or not all
of those are needed for your particular task is another matter 
(wireshark can
narrow things down if you really want that level of granularity).

    Pretty much similar advice for SMB/CIFS -- cept that the likely 
answer there
is port 445.  From your setup I'd think NETBIOS ports 137-139 wouldn't be
needed, but depends on which tools & options you are using (and network 
layout).

    If you wanted to be real security conscious -- you could forward 445 
over
ssh, Netbios uses datagrams which I don't think forward easily over
ssh, but if you wanted, you could even setup a VPN connection over SSH and
all the ports would be forwarded through SSH.   Depends on your security 
needs
and where you are most comfortable doing the work (as it can likely be done
in multiple ways) --- none of which can be defined as "BEST", except under
very specific circumstances...

More information about the samba mailing list