Okay. Added the port range to ipa-adtrust-install and updated the man page
to reflect firewall requirements.
The firewall section seems a little rough, so let me know what you think it
would need to be smoothed over (if anything).

thanks,

Gabe

On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek <pspa...@redhat.com> wrote:

> On 30.10.2015 11:10, Alexander Bokovoy wrote:
> > On Fri, 30 Oct 2015, Petr Spacek wrote:
> >> On 30.10.2015 07:54, Alexander Bokovoy wrote:
> >>> On Thu, 29 Oct 2015, Gabe Alford wrote:
> >>>> Hello,
> >>>>
> >>>> Fix for https://fedorahosted.org/freeipa/ticket/5414
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Gabe
> >>>
> >>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
> >>>> From: Gabe <redhatri...@gmail.com>
> >>>> Date: Thu, 29 Oct 2015 20:28:27 -0600
> >>>> Subject: [PATCH] Incomplete ports for IPA AD Trust
> >>>>
> >>>> https://fedorahosted.org/freeipa/ticket/5414
> >>>> ---
> >>>> install/tools/ipa-adtrust-install | 1 +
> >>>> 1 file changed, 1 insertion(+)
> >>>>
> >>>> diff --git a/install/tools/ipa-adtrust-install
> >>>> b/install/tools/ipa-adtrust-install
> >>>> index
> >>>>
> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
> >>>>
> >>>> 100755
> >>>> --- a/install/tools/ipa-adtrust-install
> >>>> +++ b/install/tools/ipa-adtrust-install
> >>>> @@ -472,6 +472,7 @@ Setup complete
> >>>>
> >>>> You must make sure these network ports are open:
> >>>> \tTCP Ports:
> >>>> +\t  * 135: epmap
> >>>> \t  * 138: netbios-dgm
> >>>> \t  * 139: netbios-ssn
> >>>> \t  * 445: microsoft-ds
> >>> This is good but not complete. What end-point mapper does is creating a
> >>> listener based on the incoming request and access to the listener needs
> >>> to be provided as well. A listener is created currently in the range of
> >>> 1024..1300/TCP but we already have request to make this range
> >>> configurable (it is hard coded right now in Samba code) because with
> >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> >>> https://support.microsoft.com/en-us/kb/929851
> >>>
> >>> We were thinking to add a call out hook on Samba side to call
> >>> firewall-related script that could do hole punching on demand but it is
> >>> not there yet.
> >>>
> >>> What we could do in ipa-adtrust-install, is to add section about
> TCP/UDP
> >>> ports to the manual page and explicitly reference that one in case of
> >>> epmap line:
> >>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> >>>
> >>> We don't have the firewall section in the manpage at all, btw.
> >>>
> >>> What do you think?
> >>
> >> Maybe I'm missing something, but ... Could we simply put current range
> >> 1024..1300/TCP to the installer now and do other changes as Samba
> evolves? I
> >> think that it is good enough as a hotfix and that we do not need to
> >> over-complicate it in the beginning.
> > That's essentially what I said too -- but I want to have firewall
> > requirements documented in the manpage so that they are available
> > beforehand _and_ people actually read them when they are referenced in
> > the output.
> >
> > I'm not asking for anything else here. Documentation is needed.
>
> Thanks for clarification, I was under the impression that you wanted to
> put it
> only into the man page :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Fri, 30 Oct 2015 09:11:00 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

- Add subsection to ipa-adtrust-install man page
- Update port information in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/5414
---
 install/tools/ipa-adtrust-install       |  4 ++++
 install/tools/man/ipa-adtrust-install.1 | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..ff69d69e2c11ce08b8b648a5a78777c472da2ac9 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,15 +472,19 @@ Setup complete
 
 You must make sure these network ports are open:
 \tTCP Ports:
+\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
+\t  * 1024..1300: epmap listener range
 \tUDP Ports:
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 389: (C)LDAP
 \t  * 445: microsoft-ds
 
+See the ipa-adtrust-install(1) man page for more details
+
 =============================================================================
 """)
     if admin_password:
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 06378b5983e55bb6c34971b0f5129246f9f14fd3..36c468336909c705c68a2794dec699f3f05579d9 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -36,6 +36,31 @@ configuration of the local range cannot be changed by running
 ipa\-adtrust\-install a second time because with changes here other objects
 might be affected as well.
 
+.SS "Firewall Requirements"
+In addition to the IPA server firewall requirements, ipa\-adtrust\-install requires
+the following ports to be open to allow IPA and Active Directory to communicate together:
+
+\fBTCP Ports\fR
+.IP
+\(bu 135/tcp EPMAP
+.IP
+\(bu 138/tcp NetBIOS-DGM
+.IP
+\(bu 139/tcp NetBIOS-SSN
+.IP
+\(bu 445/tcp Microsoft-DS
+.IP
+\(bu 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to create a TCP listener based
+on an incoming request.
+.TP
+\fBUDP Ports\fR
+.IP
+\(bu 138/udp NetBIOS-DGM
+.IP
+\(bu 139/udp NetBIOS-SSN
+.IP
+\(bu 389/udp LDAP
+
 .SH "OPTIONS"
 .TP
 \fB\-d\fR, \fB\-\-debug\fR
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to