Hello everybody,
I have a running an installation of Samba4 as AD. All is working fine,
but when I start the firewall, the clients have problems to login.
By my firewall-rules from the past, I had opened the ports 137:139 and
445 for samba and new for bind the port 53.
The clients (WinXP) seems to have problems to read and write from/to the
home directories. Maybe samba4 need additional or other ports to working
fine?
Here my current iptables-rules:
IPTABLES=/sbin/iptables
#Bind
$IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j
ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j
ACCEPT;
$IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j
ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j
ACCEPT;
#Samba
$IPTABLES -A INPUT -p udp --dport 137:139 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A INPUT -p udp --dport 445 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p udp --sport 445 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A INPUT -p tcp --dport 445 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
$IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
iptables --list
ACCEPT tcp -- anywhere anywhere tcp
spt:domain state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:domain state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spt:microsoft-ds state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:microsoft-ds state RELATED,ESTABLISHED
Note! I have the profiles configured with server-copies from the
home-directorys! That's the reason for the necessary
read-/write-possibility. When I login with a client, so the client look
for the server-home-directory. When a client logout, the client
synchronizes the local-home-directory to the ad-server. Without the
running firewall on the AD it's work perfect. With the runnig firewall I
get the message on login, that the client can't read the home-directory
and when I logout, that the client can't synchronize the home-directory.
The domain-login is always successful.
Thanks in advance!
Bert
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
