Okay. Added the port range to ipa-adtrust-install and updated the man page to reflect firewall requirements. The firewall section seems a little rough, so let me know what you think it would need to be smoothed over (if anything).
thanks, Gabe On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek <pspa...@redhat.com> wrote: > On 30.10.2015 11:10, Alexander Bokovoy wrote: > > On Fri, 30 Oct 2015, Petr Spacek wrote: > >> On 30.10.2015 07:54, Alexander Bokovoy wrote: > >>> On Thu, 29 Oct 2015, Gabe Alford wrote: > >>>> Hello, > >>>> > >>>> Fix for https://fedorahosted.org/freeipa/ticket/5414 > >>>> > >>>> Thanks, > >>>> > >>>> Gabe > >>> > >>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 > >>>> From: Gabe <redhatri...@gmail.com> > >>>> Date: Thu, 29 Oct 2015 20:28:27 -0600 > >>>> Subject: [PATCH] Incomplete ports for IPA AD Trust > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/5414 > >>>> --- > >>>> install/tools/ipa-adtrust-install | 1 + > >>>> 1 file changed, 1 insertion(+) > >>>> > >>>> diff --git a/install/tools/ipa-adtrust-install > >>>> b/install/tools/ipa-adtrust-install > >>>> index > >>>> > 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 > >>>> > >>>> 100755 > >>>> --- a/install/tools/ipa-adtrust-install > >>>> +++ b/install/tools/ipa-adtrust-install > >>>> @@ -472,6 +472,7 @@ Setup complete > >>>> > >>>> You must make sure these network ports are open: > >>>> \tTCP Ports: > >>>> +\t * 135: epmap > >>>> \t * 138: netbios-dgm > >>>> \t * 139: netbios-ssn > >>>> \t * 445: microsoft-ds > >>> This is good but not complete. What end-point mapper does is creating a > >>> listener based on the incoming request and access to the listener needs > >>> to be provided as well. A listener is created currently in the range of > >>> 1024..1300/TCP but we already have request to make this range > >>> configurable (it is hard coded right now in Samba code) because with > >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: > >>> https://support.microsoft.com/en-us/kb/929851 > >>> > >>> We were thinking to add a call out hook on Samba side to call > >>> firewall-related script that could do hole punching on demand but it is > >>> not there yet. > >>> > >>> What we could do in ipa-adtrust-install, is to add section about > TCP/UDP > >>> ports to the manual page and explicitly reference that one in case of > >>> epmap line: > >>> \t *135: epmap (see ipa-adtrust-install(1) man page for details) > >>> > >>> We don't have the firewall section in the manpage at all, btw. > >>> > >>> What do you think? > >> > >> Maybe I'm missing something, but ... Could we simply put current range > >> 1024..1300/TCP to the installer now and do other changes as Samba > evolves? I > >> think that it is good enough as a hotfix and that we do not need to > >> over-complicate it in the beginning. > > That's essentially what I said too -- but I want to have firewall > > requirements documented in the manpage so that they are available > > beforehand _and_ people actually read them when they are referenced in > > the output. > > > > I'm not asking for anything else here. Documentation is needed. > > Thanks for clarification, I was under the impression that you wanted to > put it > only into the man page :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >
From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Fri, 30 Oct 2015 09:11:00 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust - Add subsection to ipa-adtrust-install man page - Update port information in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 4 ++++ install/tools/man/ipa-adtrust-install.1 | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..ff69d69e2c11ce08b8b648a5a78777c472da2ac9 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,15 +472,19 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds +\t * 1024..1300: epmap listener range \tUDP Ports: \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 389: (C)LDAP \t * 445: microsoft-ds +See the ipa-adtrust-install(1) man page for more details + ============================================================================= """) if admin_password: diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 06378b5983e55bb6c34971b0f5129246f9f14fd3..36c468336909c705c68a2794dec699f3f05579d9 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -36,6 +36,31 @@ configuration of the local range cannot be changed by running ipa\-adtrust\-install a second time because with changes here other objects might be affected as well. +.SS "Firewall Requirements" +In addition to the IPA server firewall requirements, ipa\-adtrust\-install requires +the following ports to be open to allow IPA and Active Directory to communicate together: + +\fBTCP Ports\fR +.IP +\(bu 135/tcp EPMAP +.IP +\(bu 138/tcp NetBIOS-DGM +.IP +\(bu 139/tcp NetBIOS-SSN +.IP +\(bu 445/tcp Microsoft-DS +.IP +\(bu 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to create a TCP listener based +on an incoming request. +.TP +\fBUDP Ports\fR +.IP +\(bu 138/udp NetBIOS-DGM +.IP +\(bu 139/udp NetBIOS-SSN +.IP +\(bu 389/udp LDAP + .SH "OPTIONS" .TP \fB\-d\fR, \fB\-\-debug\fR -- 22.214.171.124
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code