[Samba] Samba4 and iptables

Kevin Field kev at brantaero.com
Thu Aug 15 08:36:33 MDT 2013 

Hi everyone,

I had posted recently about getting Samba4 to work on CentOS 6.4 but 
having changes only replicating in one direction, from the Win2k3 AD but 
not back to it.  I solved the problem, this time, by disabling iptables. 
  I find it a bit hard to understand.  These are the rules I have set up:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:5888]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT
-A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT
-A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment 
--comment "Kerberos" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment 
--comment "Kerberos Password Management" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment 
--comment "SMB CIFS" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment 
--comment "LDAP TCP" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment 
--comment "LDAP SSL" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment 
--comment "LDAP Global Catalog" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment 
--comment "LDAP Global Catalog SSL" -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Additionally, I used to have -s 10.0.0.0/8 on all of the samba-related 
ones, but then I couldn't connect to the new DC via the Windows AD Users 
and Computers tool.  Take away -s, and it works.  So the above is now 
what I have, but when iptables is enabled, I get "Warning: No NC 
replicated for Connection!" on outbound when I run "samba-tool drs 
showrepl" and I get errors like this in Windows Event Viewer:

Event Type:	Warning
Event Source:	NTDS KCC
Event Category:	Knowledge Consistency Checker
Event ID:	1925
Date:		2013-08-15
Time:		10:21:27 AM
User:		NT AUTHORITY\ANONYMOUS LOGON
Computer:	OLDDC
Description:
The attempt to establish a replication link for the following writable 
directory partition failed.

Directory partition:
DC=mydomain,DC=lan
Source domain controller:
CN=NTDS 
Settings,CN=NEWDC,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan 

Source domain controller address:
fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan
Intersite transport (if any):


This domain controller will be unable to replicate with the source 
domain controller until this problem is corrected.

User Action
Verify if the source domain controller is accessible or network 
connectivity is available.

Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

------------- (end quote)

Also, the AD Replication Status Viewer tool will say that NEWDC cannot 
be contacted.  Disable iptables, and voila, it starts reporting 
successful replication.

IIUC it's the port 135 that allows RPC contact, which I believe my 
iptables config above should correctly open.  If not, could someone show 
me where I've gone wrong here?

Thanks,
Kev

More information about the samba mailing list