[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Petr Spacek
pspacek at redhat.com
Fri Oct 30 10:12:44 UTC 2015
On 30.10.2015 11:10, Alexander Bokovoy wrote:
> On Fri, 30 Oct 2015, Petr Spacek wrote:
>> On 30.10.2015 07:54, Alexander Bokovoy wrote:
>>> On Thu, 29 Oct 2015, Gabe Alford wrote:
>>>> Hello,
>>>>
>>>> Fix for https://fedorahosted.org/freeipa/ticket/5414
>>>>
>>>> Thanks,
>>>>
>>>> Gabe
>>>
>>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>>>> From: Gabe <redhatrises at gmail.com>
>>>> Date: Thu, 29 Oct 2015 20:28:27 -0600
>>>> Subject: [PATCH] Incomplete ports for IPA AD Trust
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/5414
>>>> ---
>>>> install/tools/ipa-adtrust-install | 1 +
>>>> 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/install/tools/ipa-adtrust-install
>>>> b/install/tools/ipa-adtrust-install
>>>> index
>>>> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
>>>>
>>>> 100755
>>>> --- a/install/tools/ipa-adtrust-install
>>>> +++ b/install/tools/ipa-adtrust-install
>>>> @@ -472,6 +472,7 @@ Setup complete
>>>>
>>>> You must make sure these network ports are open:
>>>> \tTCP Ports:
>>>> +\t * 135: epmap
>>>> \t * 138: netbios-dgm
>>>> \t * 139: netbios-ssn
>>>> \t * 445: microsoft-ds
>>> This is good but not complete. What end-point mapper does is creating a
>>> listener based on the incoming request and access to the listener needs
>>> to be provided as well. A listener is created currently in the range of
>>> 1024..1300/TCP but we already have request to make this range
>>> configurable (it is hard coded right now in Samba code) because with
>>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
>>> https://support.microsoft.com/en-us/kb/929851
>>>
>>> We were thinking to add a call out hook on Samba side to call
>>> firewall-related script that could do hole punching on demand but it is
>>> not there yet.
>>>
>>> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
>>> ports to the manual page and explicitly reference that one in case of
>>> epmap line:
>>> \t *135: epmap (see ipa-adtrust-install(1) man page for details)
>>>
>>> We don't have the firewall section in the manpage at all, btw.
>>>
>>> What do you think?
>>
>> Maybe I'm missing something, but ... Could we simply put current range
>> 1024..1300/TCP to the installer now and do other changes as Samba evolves? I
>> think that it is good enough as a hotfix and that we do not need to
>> over-complicate it in the beginning.
> That's essentially what I said too -- but I want to have firewall
> requirements documented in the manpage so that they are available
> beforehand _and_ people actually read them when they are referenced in
> the output.
>
> I'm not asking for anything else here. Documentation is needed.
Thanks for clarification, I was under the impression that you wanted to put it
only into the man page :-)
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list