[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Petr Spacek
pspacek at redhat.com
Fri Oct 30 08:18:59 UTC 2015
On 30.10.2015 07:54, Alexander Bokovoy wrote:
> On Thu, 29 Oct 2015, Gabe Alford wrote:
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5414
>>
>> Thanks,
>>
>> Gabe
>
>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>> From: Gabe <redhatrises at gmail.com>
>> Date: Thu, 29 Oct 2015 20:28:27 -0600
>> Subject: [PATCH] Incomplete ports for IPA AD Trust
>>
>> https://fedorahosted.org/freeipa/ticket/5414
>> ---
>> install/tools/ipa-adtrust-install | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/install/tools/ipa-adtrust-install
>> b/install/tools/ipa-adtrust-install
>> index
>> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
>> 100755
>> --- a/install/tools/ipa-adtrust-install
>> +++ b/install/tools/ipa-adtrust-install
>> @@ -472,6 +472,7 @@ Setup complete
>>
>> You must make sure these network ports are open:
>> \tTCP Ports:
>> +\t * 135: epmap
>> \t * 138: netbios-dgm
>> \t * 139: netbios-ssn
>> \t * 445: microsoft-ds
> This is good but not complete. What end-point mapper does is creating a
> listener based on the incoming request and access to the listener needs
> to be provided as well. A listener is created currently in the range of
> 1024..1300/TCP but we already have request to make this range
> configurable (it is hard coded right now in Samba code) because with
> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> https://support.microsoft.com/en-us/kb/929851
>
> We were thinking to add a call out hook on Samba side to call
> firewall-related script that could do hole punching on demand but it is
> not there yet.
>
> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
> ports to the manual page and explicitly reference that one in case of
> epmap line:
> \t *135: epmap (see ipa-adtrust-install(1) man page for details)
>
> We don't have the firewall section in the manpage at all, btw.
>
> What do you think?
Maybe I'm missing something, but ... Could we simply put current range
1024..1300/TCP to the installer now and do other changes as Samba evolves? I
think that it is good enough as a hotfix and that we do not need to
over-complicate it in the beginning.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list