[Samba] firewalld services to open for an ADDC
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 13 16:12:40 UTC 2018
You have some double.
> freeipa-ldaps.xml: <port protocol="tcp" port="464"/>
> freeipa-ldaps.xml: <port protocol="udp" port="464"/>
> freeipa-ldap.xml: <port protocol="tcp" port="464"/>
> freeipa-ldap.xml: <port protocol="udp" port="464"/>
The correct one.
> kpasswd.xml: <port protocol="tcp" port="464"/>
> kpasswd.xml: <port protocol="udp" port="464"/>
> -----Oorspronkelijk bericht-----
> Van: Jeff Sadowski [mailto:jeff.sadowski at gmail.com]
> Verzonden: dinsdag 13 februari 2018 17:08
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
>
> On Tue, Feb 13, 2018 at 8:46 AM, Jeff Sadowski
> <jeff.sadowski at gmail.com> wrote:
> > On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba
> > <samba at lists.samba.org> wrote:
> >> Hai,
> >>
> >> If you use that or the AD, then its incomplete, imo.
> >> Your missing ldaps (636) and the GC (ssl) 3268/3269) ports
> and maybe NTP (123/tcp) if installed.
> >> Maybe you dont need them, just an observation.
> >>
> >
> > Oh I see I need to look at the ports in the chart not just the ones
> > listed in the example.
> >
> > I'll add to my list.
> >
> So I went back and found
> [root at dc1 ~]# grep -e 53 -e 88 -e 135 -e 137 -e 138 -e 139 -e 389 -e
> 445 -e 464 -e 636 -e 49152 -e 65535 -e 3268 -e 3269
> /usr/lib/firewalld/services/*.xml |sed "s/.*services\///"
> cfengine.xml: <port protocol="tcp" port="5308"/>
> dns.xml: <port protocol="tcp" port="53"/>
> dns.xml: <port protocol="udp" port="53"/>
> freeipa-ldaps.xml: <port protocol="tcp" port="88"/>
> freeipa-ldaps.xml: <port protocol="udp" port="88"/>
> freeipa-ldaps.xml: <port protocol="tcp" port="464"/>
> freeipa-ldaps.xml: <port protocol="udp" port="464"/>
> freeipa-ldaps.xml: <port protocol="tcp" port="636"/>
> freeipa-ldap.xml: <port protocol="tcp" port="88"/>
> freeipa-ldap.xml: <port protocol="udp" port="88"/>
> freeipa-ldap.xml: <port protocol="tcp" port="464"/>
> freeipa-ldap.xml: <port protocol="udp" port="464"/>
> freeipa-ldap.xml: <port protocol="tcp" port="389"/>
> freeipa-replication.xml: <port protocol="tcp" port="7389"/>
> freeipa-trust.xml: <port protocol="tcp" port="135"/>
> freeipa-trust.xml: <port protocol="tcp" port="138-139"/>
> freeipa-trust.xml: <port protocol="udp" port="138-139"/>
> freeipa-trust.xml: <port protocol="tcp" port="389"/>
> freeipa-trust.xml: <port protocol="udp" port="389"/>
> freeipa-trust.xml: <port protocol="tcp" port="445"/>
> freeipa-trust.xml: <port protocol="udp" port="445"/>
> freeipa-trust.xml: <port protocol="tcp" port="3268"/>
> kerberos.xml: <port protocol="tcp" port="88"/>
> kerberos.xml: <port protocol="udp" port="88"/>
> kpasswd.xml: <port protocol="tcp" port="464"/>
> kpasswd.xml: <port protocol="udp" port="464"/>
> ldaps.xml: <port protocol="tcp" port="636"/>
> ldap.xml: <port protocol="tcp" port="389"/>
> mdns.xml: <port protocol="udp" port="5353"/>
> ms-wbt.xml: <port protocol="tcp" port="3389"/>
> samba-client.xml: <port protocol="udp" port="137"/>
> samba-client.xml: <port protocol="udp" port="138"/>
> samba.xml: <port protocol="udp" port="137"/>
> samba.xml: <port protocol="udp" port="138"/>
> samba.xml: <port protocol="tcp" port="139"/>
> samba.xml: <port protocol="tcp" port="445"/>
> vdsm.xml: <port protocol="tcp" port="49152-49216"/> <!--
> migration -->
>
> which gives me a few more. I now have
>
> firewall-cmd --add-service=dns --permanent
> firewall-cmd --add-service=samba --permanent
> firewall-cmd --add-service=kerberos --permanent
> firewall-cmd --add-service=ldap --permanent
> firewall-cmd --add-service=ldaps --permanent
> firewall-cmd --add-service=kpasswd --permanent
> firewall-cmd --add-service=ms-wbt --permanent
> firewall-cmd --add-service=freeipa-trust --permanent
> firewall-cmd --reload
>
> Do I need "Dynamic RPC Ports" and "Global Catalog SSL" ?
> It's odd that vdsm covers some of the Dynamic RPC Ports.
>
>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff
> >>> Sadowski via samba
> >>> Verzonden: dinsdag 13 februari 2018 16:05
> >>> Aan: Marc Muehlfeld
> >>> CC: Ing. Luis Felipe DomÃngu.
> >>> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
> >>>
> >>> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld
> >>> <mmuehlfeld at samba.org> wrote:
> >>> > Hi Jeff,
> >>> >
> >>> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba:
> >>> >> So my question is what services or ports am I missing to open?
> >>> >
> >>> > AD DCs:
> >>> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
> >>>
> >>> perfect exactly what I was looking for
> >>> I found some docs about firewalld that the service files
> are kept in
> >>> /usr/lib/firewalld/services
> >>> so I did
> >>> [root at dc1 ~]# grep -e 139 -e 88 -e 445
> >>> /usr/lib/firewalld/services/*.xml
> >>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port
> >>> protocol="tcp" port="88"/>
> >>> /usr/lib/firewalld/services/freeipa-ldaps.xml: <port
> >>> protocol="udp" port="88"/>
> >>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port
> >>> protocol="tcp" port="88"/>
> >>> /usr/lib/firewalld/services/freeipa-ldap.xml: <port
> >>> protocol="udp" port="88"/>
> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port
> protocol="tcp"
> >>> port="138-139"/>
> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port
> protocol="udp"
> >>> port="138-139"/>
> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port
> protocol="tcp"
> >>> port="445"/>
> >>> /usr/lib/firewalld/services/freeipa-trust.xml: <port
> protocol="udp"
> >>> port="445"/>
> >>> /usr/lib/firewalld/services/kerberos.xml: <port
> >>> protocol="tcp" port="88"/>
> >>> /usr/lib/firewalld/services/kerberos.xml: <port
> >>> protocol="udp" port="88"/>
> >>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp"
> >>> port="139"/>
> >>> /usr/lib/firewalld/services/samba.xml: <port protocol="tcp"
> >>> port="445"/>
> >>> so by adding
> >>>
> >>> firewall-cmd --add-service=dns --permanent
> >>> firewall-cmd --add-service=samba --permanent
> >>> firewall-cmd --add-service=kerberos --permanent
> >>> firewall-cmd --reload
> >>>
> >>> I should have all the ports I need.
> >>> Thank you.
> >>>
> >>> >
> >>> > Domain members:
> >>> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage
> >>> >
> >>> >
> >>> > Regards,
> >>> > Marc
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list