On Fri, 30 Oct 2015, Petr Spacek wrote:
On 30.10.2015 07:54, Alexander Bokovoy wrote:
On Thu, 29 Oct 2015, Gabe Alford wrote:

Fix for https://fedorahosted.org/freeipa/ticket/5414



From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Thu, 29 Oct 2015 20:28:27 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

install/tools/ipa-adtrust-install | 1 +
1 file changed, 1 insertion(+)

diff --git a/install/tools/ipa-adtrust-install
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,6 +472,7 @@ Setup complete

You must make sure these network ports are open:
\tTCP Ports:
+\t  * 135: epmap
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 445: microsoft-ds
This is good but not complete. What end-point mapper does is creating a
listener based on the incoming request and access to the listener needs
to be provided as well. A listener is created currently in the range of
1024..1300/TCP but we already have request to make this range
configurable (it is hard coded right now in Samba code) because with
Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:

We were thinking to add a call out hook on Samba side to call
firewall-related script that could do hole punching on demand but it is
not there yet.

What we could do in ipa-adtrust-install, is to add section about TCP/UDP
ports to the manual page and explicitly reference that one in case of
epmap line:
\t  *135: epmap (see ipa-adtrust-install(1) man page for details)

We don't have the firewall section in the manpage at all, btw.

What do you think?

Maybe I'm missing something, but ... Could we simply put current range
1024..1300/TCP to the installer now and do other changes as Samba evolves? I
think that it is good enough as a hotfix and that we do not need to
over-complicate it in the beginning.
That's essentially what I said too -- but I want to have firewall
requirements documented in the manpage so that they are available
beforehand _and_ people actually read them when they are referenced in
the output.

I'm not asking for anything else here. Documentation is needed.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to