[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Fri Oct 30 16:03:19 UTC 2015

Okay. Added the port range to ipa-adtrust-install and updated the man page
to reflect firewall requirements.
The firewall section seems a little rough, so let me know what you think it
would need to be smoothed over (if anything).

thanks,

Gabe

On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek <pspacek at redhat.com> wrote:

> On 30.10.2015 11:10, Alexander Bokovoy wrote:
> > On Fri, 30 Oct 2015, Petr Spacek wrote:
> >> On 30.10.2015 07:54, Alexander Bokovoy wrote:
> >>> On Thu, 29 Oct 2015, Gabe Alford wrote:
> >>>> Hello,
> >>>>
> >>>> Fix for https://fedorahosted.org/freeipa/ticket/5414
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Gabe
> >>>
> >>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
> >>>> From: Gabe <redhatrises at gmail.com>
> >>>> Date: Thu, 29 Oct 2015 20:28:27 -0600
> >>>> Subject: [PATCH] Incomplete ports for IPA AD Trust
> >>>>
> >>>> https://fedorahosted.org/freeipa/ticket/5414
> >>>> ---
> >>>> install/tools/ipa-adtrust-install | 1 +
> >>>> 1 file changed, 1 insertion(+)
> >>>>
> >>>> diff --git a/install/tools/ipa-adtrust-install
> >>>> b/install/tools/ipa-adtrust-install
> >>>> index
> >>>>
> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
> >>>>
> >>>> 100755
> >>>> --- a/install/tools/ipa-adtrust-install
> >>>> +++ b/install/tools/ipa-adtrust-install
> >>>> @@ -472,6 +472,7 @@ Setup complete
> >>>>
> >>>> You must make sure these network ports are open:
> >>>> \tTCP Ports:
> >>>> +\t  * 135: epmap
> >>>> \t  * 138: netbios-dgm
> >>>> \t  * 139: netbios-ssn
> >>>> \t  * 445: microsoft-ds
> >>> This is good but not complete. What end-point mapper does is creating a
> >>> listener based on the incoming request and access to the listener needs
> >>> to be provided as well. A listener is created currently in the range of
> >>> 1024..1300/TCP but we already have request to make this range
> >>> configurable (it is hard coded right now in Samba code) because with
> >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> >>> https://support.microsoft.com/en-us/kb/929851
> >>>
> >>> We were thinking to add a call out hook on Samba side to call
> >>> firewall-related script that could do hole punching on demand but it is
> >>> not there yet.
> >>>
> >>> What we could do in ipa-adtrust-install, is to add section about
> TCP/UDP
> >>> ports to the manual page and explicitly reference that one in case of
> >>> epmap line:
> >>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> >>>
> >>> We don't have the firewall section in the manpage at all, btw.
> >>>
> >>> What do you think?
> >>
> >> Maybe I'm missing something, but ... Could we simply put current range
> >> 1024..1300/TCP to the installer now and do other changes as Samba
> evolves? I
> >> think that it is good enough as a hotfix and that we do not need to
> >> over-complicate it in the beginning.
> > That's essentially what I said too -- but I want to have firewall
> > requirements documented in the manpage so that they are available
> > beforehand _and_ people actually read them when they are referenced in
> > the output.
> >
> > I'm not asking for anything else here. Documentation is needed.
>
> Thanks for clarification, I was under the impression that you wanted to
> put it
> only into the man page :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151030/fb964ac1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rga-0060-2-Incomplete-ports-for-IPA-AD-Trust.patch
Type: text/x-patch
Size: 2383 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151030/fb964ac1/attachment.bin>