[Samba] Samba AD firewalld services
Robert Moskowitz
rgm at htt-consult.com
Thu Aug 27 13:49:21 UTC 2015
Oh, this really helps. See below, though.
On 08/27/2015 09:33 AM, Rowland Penny wrote:
> On 27/08/15 14:25, Robert Moskowitz wrote:
>> Progress...
>>
>> On 08/27/2015 08:50 AM, L.P.H. van Belle wrote:
>>> After reading this thread.. and ..seeing the comments..
>>>
>>> I googled a bit around. and yes.. more then 5 sec.. ;-)
>>>
>>> I wonder why almost every "centos/redhat/rpm based" howto removes
>>> firewalld with the base iptables service
>>> now, i'm not "pro" systemd or con systemd, i use it but i set my
>>> firewall with ufw,
>>> which is much more flexable in my opinion.
>>> I just dont care about how it starts.. as long as it works..
>>>
>>> so i found this one..
>>> http://www.certdepot.net/rhel7-get-started-firewalld/
>>> looks very nice, it explains all.
>>> base on that, howto create a "samba4-ad" service with multiple ports
>>> in it.
>>> or better, split it up in to..
>>> samba4-kerberos
>>> samba4-smbd
>>> samba4-nmbd
>>> etc..
>>
>> I have looked at the actual /usr/lib/firewalld/services xml files and
>> find that I should use:
>>
>> samba kerberos kpasswd dns ldap ldaps
>>
>> And need to create services for tcp ports 135 (rpc) and 3268 (MS
>> Global Catalog), or just do those as ports.
>>
>> Still to be worked out are:
>>
>> what about ldap and ldaps over udp? And do I need a rule for port 1024?
>>
>> thanks
>>
>>>
>>> The only thing i cant see there in the "HAProxy example" is you can
>>> add multiple "port / protools" in there.
>>> thats up to you.
>>>
>>> but i think you wil manage that.
>>>
>>> .. side note..
>>> Firewalling is not really a samba topic.. but we are all (yes
>>> Rowland to) happy to help you..
>>> ;-) Rowland is just not a "fan" of systemd.. ROFL...
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ryan Bair
>>>> Verzonden: donderdag 27 augustus 2015 14:01
>>>> Aan: Robert Moskowitz
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba AD firewalld services
>>>>
>>>> The services and their port numbers and protocols are defined in
>>>> /etc/services. You should be able to use that file to map from
>>>> port numbers
>>>> to services if you want to use the service names instead. This is not
>>>> something new with firewalld, iptables has had this option
>>>> forever as well.
>>>>
>>>> On Thu, Aug 27, 2015 at 12:20 AM, Robert Moskowitz
>>>> <rgm at htt-consult.com>
>>>> wrote:
>>>>
>>>>> Now with firewalld, opening up ports is now 'better' done by opening
>>>>> services. So what do I need, for starters it seems:
>>>>>
>>>>> dns, dhcp, dhcpv6, samba, kerberos
>>>>>
>>>>> Here is the list of services:
>>>>>
>>>>> RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6
>>>>> dhcpv6-client dns
>>>>> ftp high-availability http https imaps ipp ipp-client ipsec kerberos
>>>>> kpasswd ldap
>>>>> ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp
>>>> openvpn pmcd
>>>>> pmproxy
>>>>> pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba
>>>>> samba-client
>>>>> smtp ssh telnet tftp tftp-client transmission-client
>>>> vnc-server wbem-https
>>>>> I will only be running one AD, but a number of file servers (which in
>>>>> Samba4 are really DCs without some services?) .
>>>>>
>>>>> thanks
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>
>>
>
> Ah, This might help:
> https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
There it is! Shows my weak search foo. Answers the udp ldap/s
question. Couple new questions though.
mDNS? Even if you are running DHCP which provides the Nameserver
address? And again, the firewalld mdns service only specifies udp; no tcp.
And what to do for ports 1024-5000? Open one? Open a few?
>
> Didn't know it was there (probably because it wasn't, three days ago
> :-D )
I suspect it was there, only edited 3 days ago.
More information about the samba
mailing list