[Samba] ms-rpc dynamic port range
Andrew Bartlett
abartlet at samba.org
Fri Oct 28 01:24:32 UTC 2016
On Thu, 2016-10-27 at 20:39 +0200, Denis Cardon via samba wrote:
> Hi everyone,
>
> According to the samba wiki page [1], samba ms-rpc dynamic port range
> is
> 1024-5000, which looks mostly coherent with a quick tcpdump
> analysis.
> However it seems like there are also some connection in the upper
> range
> or MS-RPC 49152-65535.
>
> It seems that the lower range would be for AD2003 according to
> kb832017,
> and that the upper range would be for AD2008 and up [2].
>
> So my question is, what is the range that is used?
1024, or whatever the first available port it can bind to.
We don't even use a second port right now, but I want to fix that to
help make NETLOGON multi-process.
> Actually, I grep'ing
> in the source code was quite unlucky because I didn't even found
> where
> it was defined in samba source code... And I guess there aren't any
> smb.conf parameter to control those values?
>
> I was digging into this question after negotiating port openings for
> dynamic range with the network/security team at a client.
>
> Another similar question I have is about the drs replication port,
> and
> if it can be set to a fixed value in order to limit the replication
> partners through firewalling, like in MS KB224196 [3]?
I would like to add that. My plan is to allow specification of a port
per-service. That will help me work around a limitation in
socket_wrapper and help your use case.
I also think we should have further limitations on DRS access, eg by
forcing all DRS traffic to only access Samba over SSH.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list