[Samba] ms-rpc dynamic port range

Andrew Bartlett abartlet at samba.org
Fri Oct 28 01:24:32 UTC 2016

On Thu, 2016-10-27 at 20:39 +0200, Denis Cardon via samba wrote:
> Hi everyone,
> According to the samba wiki page [1], samba ms-rpc dynamic port range
> is 
> 1024-5000, which looks mostly coherent with a quick tcpdump
> analysis. 
> However it seems like there are also some connection in the upper
> range 
> or MS-RPC 49152-65535.
> It seems that the lower range would be for AD2003 according to
> kb832017, 
> and that the upper range would be for AD2008 and up [2].
> So my question is, what is the range that is used? 

1024, or whatever the first available port it can bind to.

We don't even use a second port right now, but I want to fix that to
help make NETLOGON multi-process.

> Actually, I grep'ing 
> in the source code was quite unlucky because I didn't even found
> where 
> it was defined in samba source code... And I guess there aren't any 
> smb.conf parameter to control those values?
> I was digging into this question after negotiating port openings for 
> dynamic range with the network/security team at a client.
> Another similar question I have is about the drs replication port,
> and 
> if it can be set to a fixed value in order to limit the replication 
> partners through firewalling, like in MS KB224196 [3]?

I would like to add that.  My plan is to allow specification of a port
per-service.  That will help me work around a limitation in
socket_wrapper and help your use case. 

I also think we should have further limitations on DRS access, eg by
forcing all DRS traffic to only access Samba over SSH.  

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list