[Samba] Samba4 and iptables
Kevin Field
kev at brantaero.com
Thu Aug 15 08:36:33 MDT 2013
Hi everyone,
I had posted recently about getting Samba4 to work on CentOS 6.4 but
having changes only replicating in one direction, from the Win2k3 AD but
not back to it. I solved the problem, this time, by disabling iptables.
I find it a bit hard to understand. These are the rules I have set up:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:5888]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT
-A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT
-A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment
--comment "Kerberos" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment
--comment "Kerberos Password Management" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment
--comment "SMB CIFS" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment
--comment "LDAP TCP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment
--comment "LDAP SSL" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment
--comment "LDAP Global Catalog" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment
--comment "LDAP Global Catalog SSL" -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Additionally, I used to have -s 10.0.0.0/8 on all of the samba-related
ones, but then I couldn't connect to the new DC via the Windows AD Users
and Computers tool. Take away -s, and it works. So the above is now
what I have, but when iptables is enabled, I get "Warning: No NC
replicated for Connection!" on outbound when I run "samba-tool drs
showrepl" and I get errors like this in Windows Event Viewer:
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1925
Date: 2013-08-15
Time: 10:21:27 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: OLDDC
Description:
The attempt to establish a replication link for the following writable
directory partition failed.
Directory partition:
DC=mydomain,DC=lan
Source domain controller:
CN=NTDS
Settings,CN=NEWDC,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan
Source domain controller address:
fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan
Intersite transport (if any):
This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network
connectivity is available.
Additional Data
Error value:
1722 The RPC server is unavailable.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------------- (end quote)
Also, the AD Replication Status Viewer tool will say that NEWDC cannot
be contacted. Disable iptables, and voila, it starts reporting
successful replication.
IIUC it's the port 135 that allows RPC contact, which I believe my
iptables config above should correctly open. If not, could someone show
me where I've gone wrong here?
Thanks,
Kev
More information about the samba
mailing list