[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Alexander Bokovoy
abokovoy at redhat.com
Fri Oct 30 10:10:30 UTC 2015
On Fri, 30 Oct 2015, Petr Spacek wrote:
>On 30.10.2015 07:54, Alexander Bokovoy wrote:
>> On Thu, 29 Oct 2015, Gabe Alford wrote:
>>> Hello,
>>>
>>> Fix for https://fedorahosted.org/freeipa/ticket/5414
>>>
>>> Thanks,
>>>
>>> Gabe
>>
>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>>> From: Gabe <redhatrises at gmail.com>
>>> Date: Thu, 29 Oct 2015 20:28:27 -0600
>>> Subject: [PATCH] Incomplete ports for IPA AD Trust
>>>
>>> https://fedorahosted.org/freeipa/ticket/5414
>>> ---
>>> install/tools/ipa-adtrust-install | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/install/tools/ipa-adtrust-install
>>> b/install/tools/ipa-adtrust-install
>>> index
>>> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
>>> 100755
>>> --- a/install/tools/ipa-adtrust-install
>>> +++ b/install/tools/ipa-adtrust-install
>>> @@ -472,6 +472,7 @@ Setup complete
>>>
>>> You must make sure these network ports are open:
>>> \tTCP Ports:
>>> +\t * 135: epmap
>>> \t * 138: netbios-dgm
>>> \t * 139: netbios-ssn
>>> \t * 445: microsoft-ds
>> This is good but not complete. What end-point mapper does is creating a
>> listener based on the incoming request and access to the listener needs
>> to be provided as well. A listener is created currently in the range of
>> 1024..1300/TCP but we already have request to make this range
>> configurable (it is hard coded right now in Samba code) because with
>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
>> https://support.microsoft.com/en-us/kb/929851
>>
>> We were thinking to add a call out hook on Samba side to call
>> firewall-related script that could do hole punching on demand but it is
>> not there yet.
>>
>> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
>> ports to the manual page and explicitly reference that one in case of
>> epmap line:
>> \t *135: epmap (see ipa-adtrust-install(1) man page for details)
>>
>> We don't have the firewall section in the manpage at all, btw.
>>
>> What do you think?
>
>Maybe I'm missing something, but ... Could we simply put current range
>1024..1300/TCP to the installer now and do other changes as Samba evolves? I
>think that it is good enough as a hotfix and that we do not need to
>over-complicate it in the beginning.
That's essentially what I said too -- but I want to have firewall
requirements documented in the manpage so that they are available
beforehand _and_ people actually read them when they are referenced in
the output.
I'm not asking for anything else here. Documentation is needed.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list