[Samba] Samba on VPS in internet?

Jo L j.o.l at live.com
Fri Nov 18 17:00:35 UTC 2016 

Hello all,
as I am still struggling with my replicating Samba setup (haven´t yet tried Andrew´s last suggestion - thanks for your support anyway), I am wondering whether I can put a DC on a virtual private server I run anyway. I think the obvious approach would be to run a VPN and configure Samba to listen on the tun interface, but unfortunately my routers don´t run standard VPN protocols. Thus I am wondering what is the risk to expose a Samba DC directly to the internet? Are all connections of a Samba DC encrypted and authenticated? I expect the exception of DNS queries/answers served by bind, but are there others? In fact I would expect encryption and authentication also for corporate networks not exposed to the internet.

root at dc1:/home/joachim# netstat -a -p -Ainet --numeric-ports| grep samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      1170/samba
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      1175/samba
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      1175/samba
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      1173/samba
tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN      1170/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      1173/samba
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      1173/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1173/samba
tcp        0      0 192.168.177.21:1024     192.168.15.22:56668     VERBUNDEN   1170/samba
udp        0      0 192.168.177.21:389      0.0.0.0:*                           1174/samba
udp        0      0 0.0.0.0:389             0.0.0.0:*                           1174/samba
udp        0      0 192.168.177.21:464      0.0.0.0:*                           1175/samba
udp        0      0 0.0.0.0:464             0.0.0.0:*                           1175/samba
udp        0      0 192.168.177.21:88       0.0.0.0:*                           1175/samba
udp        0      0 0.0.0.0:88              0.0.0.0:*                           1175/samba
udp        0      0 192.168.177.21:137      0.0.0.0:*                           1171/samba
udp        0      0 192.168.177.255:137     0.0.0.0:*                           1171/samba
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1171/samba
udp        0      0 192.168.177.21:138      0.0.0.0:*                           1171/samba
udp        0      0 192.168.177.255:138     0.0.0.0:*                           1171/samba
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1171/samba

389 is standard LDAP, i.e. not encrypted, 636 ist the port using TLS. How can I close port 389 in order that no client can unintentionally communicate unsecure? Are there other pairs?
Anyone done this?

Thanks & Best regards, Joachim

More information about the samba mailing list