[Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?
Mark Heslin
mheslin at redhat.com
Mon Aug 4 20:21:30 UTC 2014
Folks,
Does anyone know the current disposition of $subject? The FreeIPA
documentation:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration
would seem to indicate this is no longer necessary. Is this "official"
or should we block
just the Win/AD server from these ports?
Alexander Bokovoy and I were working together last Friday on a
cross-realm Kerberos trust
to an AD server (Win2012 R2) and noticed replication was not working
because I had
tcp/389 and tcp/636 REJECT configured on the IdM servers. After removing
the rules
everything is working again.
Currently, I still have the rules removed but would like to know whether
to keep them removed
or add them back in but block only the packets from the Win/AD server.
Thanks,
=m
--
Red Hat Reference Architectures
Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch
More information about the Freeipa-users
mailing list