[Samba] firewalld services to open for an ADDC
Jeff Sadowski
jeff.sadowski at gmail.com
Tue Feb 13 16:07:57 UTC 2018
On Tue, Feb 13, 2018 at 8:46 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba
> <samba at lists.samba.org> wrote:
>> Hai,
>>
>> If you use that or the AD, then its incomplete, imo.
>> Your missing ldaps (636) and the GC (ssl) 3268/3269) ports and maybe NTP (123/tcp) if installed.
>> Maybe you dont need them, just an observation.
>>
>
> Oh I see I need to look at the ports in the chart not just the ones
> listed in the example.
>
> I'll add to my list.
>
So I went back and found
[root at dc1 ~]# grep -e 53 -e 88 -e 135 -e 137 -e 138 -e 139 -e 389 -e
445 -e 464 -e 636 -e 49152 -e 65535 -e 3268 -e 3269
/usr/lib/firewalld/services/*.xml |sed "s/.*services\///"
cfengine.xml: <port protocol="tcp" port="5308"/>
dns.xml: <port protocol="tcp" port="53"/>
dns.xml: <port protocol="udp" port="53"/>
freeipa-ldaps.xml: <port protocol="tcp" port="88"/>
freeipa-ldaps.xml: <port protocol="udp" port="88"/>
freeipa-ldaps.xml: <port protocol="tcp" port="464"/>
freeipa-ldaps.xml: <port protocol="udp" port="464"/>
freeipa-ldaps.xml: <port protocol="tcp" port="636"/>
freeipa-ldap.xml: <port protocol="tcp" port="88"/>
freeipa-ldap.xml: <port protocol="udp" port="88"/>
freeipa-ldap.xml: <port protocol="tcp" port="464"/>
freeipa-ldap.xml: <port protocol="udp" port="464"/>
freeipa-ldap.xml: <port protocol="tcp" port="389"/>
freeipa-replication.xml: <port protocol="tcp" port="7389"/>
freeipa-trust.xml: <port protocol="tcp" port="135"/>
freeipa-trust.xml: <port protocol="tcp" port="138-139"/>
freeipa-trust.xml: <port protocol="udp" port="138-139"/>
freeipa-trust.xml: <port protocol="tcp" port="389"/>
freeipa-trust.xml: <port protocol="udp" port="389"/>
freeipa-trust.xml: <port protocol="tcp" port="445"/>
freeipa-trust.xml: <port protocol="udp" port="445"/>
freeipa-trust.xml: <port protocol="tcp" port="3268"/>
kerberos.xml: <port protocol="tcp" port="88"/>
kerberos.xml: <port protocol="udp" port="88"/>
kpasswd.xml: <port protocol="tcp" port="464"/>
kpasswd.xml: <port protocol="udp" port="464"/>
ldaps.xml: <port protocol="tcp" port="636"/>
ldap.xml: <port protocol="tcp" port="389"/>
mdns.xml: <port protocol="udp" port="5353"/>
ms-wbt.xml: <port protocol="tcp" port="3389"/>
samba-client.xml: <port protocol="udp" port="137"/>
samba-client.xml: <port protocol="udp" port="138"/>
samba.xml: <port protocol="udp" port="137"/>
samba.xml: <port protocol="udp" port="138"/>
samba.xml: <port protocol="tcp" port="139"/>
samba.xml: <port protocol="tcp" port="445"/>
vdsm.xml: <port protocol="tcp" port="49152-49216"/> <!-- migration -->
which gives me a few more. I now have
firewall-cmd --add-service=dns --permanent
firewall-cmd --add-service=samba --permanent
firewall-cmd --add-service=kerberos --permanent
firewall-cmd --add-service=ldap --permanent
firewall-cmd --add-service=ldaps --permanent
firewall-cmd --add-service=kpasswd --permanent
firewall-cmd --add-service=ms-wbt --permanent
firewall-cmd --add-service=freeipa-trust --permanent
firewall-cmd --reload
Do I need "Dynamic RPC Ports" and "Global Catalog SSL" ?
It's odd that vdsm covers some of the Dynamic RPC Ports.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff
>>> Sadowski via samba
>>> Verzonden: dinsdag 13 februari 2018 16:05
>>> Aan: Marc Muehlfeld
>>> CC: Ing. Luis Felipe DomÃngu.
>>> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
>>>
>>> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld
>>> <mmuehlfeld at samba.org> wrote:
>>> > Hi Jeff,
>>> >
>>> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba:
>>> >> So my question is what services or ports am I missing to open?
>>> >
>>> > AD DCs:
>>> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
>>>
>>> perfect exactly what I was looking for
>>> I found some docs about firewalld that the service files are kept in
>>> /usr/lib/firewalld/services
>>> so I did
>>> [root at dc1 ~]# grep -e 139 -e 88 -e 445
>>> /usr/lib/firewalld/services/*.xml
>>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port
>>> protocol="tcp" port="88"/>
>>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port
>>> protocol="udp" port="88"/>
>>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port
>>> protocol="tcp" port="88"/>
>>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port
>>> protocol="udp" port="88"/>
>>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp"
>>> port="138-139"/>
>>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp"
>>> port="138-139"/>
>>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="tcp"
>>> port="445"/>
>>> /usr/lib/firewalld/services/freeipa-trust.xml: <port protocol="udp"
>>> port="445"/>
>>> /usr/lib/firewalld/services/kerberos.xml: <port
>>> protocol="tcp" port="88"/>
>>> /usr/lib/firewalld/services/kerberos.xml: <port
>>> protocol="udp" port="88"/>
>>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp"
>>> port="139"/>
>>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp"
>>> port="445"/>
>>> so by adding
>>>
>>> firewall-cmd --add-service=dns --permanent
>>> firewall-cmd --add-service=samba --permanent
>>> firewall-cmd --add-service=kerberos --permanent
>>> firewall-cmd --reload
>>>
>>> I should have all the ports I need.
>>> Thank you.
>>>
>>> >
>>> > Domain members:
>>> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage
>>> >
>>> >
>>> > Regards,
>>> > Marc
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list