[Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?
Mark Heslin
mheslin at redhat.com
Mon Aug 4 21:09:20 UTC 2014
On 08/04/2014 04:37 PM, Alexander Bokovoy wrote:
> On Mon, 04 Aug 2014, Mark Heslin wrote:
>> Folks,
>>
>> Does anyone know the current disposition of $subject? The FreeIPA
>> documentation:
>>
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration
>>
>>
>> would seem to indicate this is no longer necessary. Is this
>> "official" or should we block
>> just the Win/AD server from these ports?
>>
>> Alexander Bokovoy and I were working together last Friday on a
>> cross-realm Kerberos trust
>> to an AD server (Win2012 R2) and noticed replication was not working
>> because I had
>> tcp/389 and tcp/636 REJECT configured on the IdM servers. After
>> removing the rules
>> everything is working again.
>>
>> Currently, I still have the rules removed but would like to know
>> whether to keep them removed
>> or add them back in but block only the packets from the Win/AD server.
> Never ever block tcp/389 and tcp/636 between IPA servers or your
> replication will not work at all. The instruction we show at the end of
> ipa-adtrust-install is related only to communication with AD DCs for
> the sake of their sanity as any attempt to use LDAP(S) over TCP against
> IPA servers will most likely confuse Windows machines due to completely
> different schema used. LDAP over UDP is required for trusts as
> connectionless LDAP (CLDAP) is part of discovery protocol that AD
> machines expect to work.
>
> Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not
> hurt.
Good. I can modify the firewalld rules accordingly:
ipv4 filter ipa-server-chain 0 --proto tcp --destination-port 389 !
--source {ad-server-ip} --jump ACCEPT
ipv4 filter ipa-server-chain 0 --proto tcp --destination-port 636 !
--source {ad-server-ip} --jump ACCEPT
Thanks Alexander :-)
-m
--
Red Hat Reference Architectures
Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch
More information about the Freeipa-users
mailing list