[Freeipa-users] Firewalld rules to allow AD Join
Martin Kosek
mkosek at redhat.com
Mon Mar 23 11:22:31 UTC 2015
On 03/20/2015 09:59 PM, McEvoy, James wrote:
> Hi FreeIPA Users:
>
> I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server. I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running... Can someone tell me what firewalld is blocking on me?
>
> --jim
>
> These are my open services:
>
> # firewall-cmd --zone=public --list-all
> public (default)
> interfaces:
> sources:
> services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos kpasswd ldap ldaps mdns ntp samba ssh
> ports:
> masquerade: no
> forward-ports:
> icmp-blocks:
>
> [root at ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
> Active Directory domain administrator's password:
> ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
>
> As soon as I turn off the firewall it works:
>
> [root at ipa ~]# systemctl stop firewalld
> [root at ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator --password
> Active Directory domain administrator's password:
> -----------------------------------------
> Re-established trust to domain "enas.net"
> -----------------------------------------
> Realm name: enas.net
> Domain NetBIOS name: ENAS
> Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408
> SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> S-1-1, S-1-0, S-1-5-19, S-1-5-18
> SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
> S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
> S-1-1, S-1-0, S-1-5-19, S-1-5-18
> Trust direction: Two-way trust
> Trust type: Active Directory domain
> Trust status: Established and verified
>
>
> The only error the I have found is in the samba logs where lsasd has the following:
>
> [2015/03/19 18:19:22.792043, 1] ipa_sam.c:1671(search_krb_princ)
> get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/ENAS.NET at LNX.LAB'.
> [2015/03/19 18:19:23.080328, 1] ipa_sam.c:1671(search_krb_princ)
> get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/LNX.LAB at ENAS.NET'.
>
>
> and winbindd-imap has this in it:
>
> [2015/03/20 14:21:14.966125, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain)
> idmap range not specified for domain *
> [2015/03/20 14:21:14.968671, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain)
> idmap range not specified for domain *
>
>
>
This is the list
You must make sure these network ports are open:
TCP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
TCP Ports:
* 389, 636: LDAP/LDAPS
I do not think you have configured all of those. You can find more info on our
wiki:
http://www.freeipa.org/page/Active_Directory_trust_setup#Firewall_configuration
Martin
More information about the Freeipa-users
mailing list