I think 1024 is used for replication between DC's, and since its above the 1024 range, it will jump ports if needed.
Ricky On Mon, Mar 25, 2013 at 10:22 PM, steve <[email protected]> wrote: > On 24/03/13 15:17, Thomas Simmons wrote: > >> >>> On Mar 24, 2013 7:04 AM, "steve" <[email protected]> wrote: >>> >>> Samba 4.0.4 on openSUSE 12.3 >>>> Hi everyone. >>>> >>>> Does anyone have a list of ports which have to be open to allow full DC >>>> operation? >>>> >>>> I'm no expert in firewalls and only have Yast at my disposal to >>>> configure >>>> it. I've tried opening samba server and DNS server ports via Yast but I >>>> must be missing something because I have to turn off the firewall to >>>> e.g. >>>> join a Windows client to the domain. Maybe Yast isn't the right tool? >>>> >>>> Cheers, >>>> Steve >>>> >>> >>> Hello Steve, >> >> I have the following exceptions. Most of this came from netstat and >> monitoring traffic. A few were picked up in Microsoft documentation, >> though >> I've not seen my DC actually use them. Take special note of the last >> entry. >> It is my understanding that Samba4 uses 1024 by default, however if that >> port is not available it will use 1025, 1026, etc until it finds an open >> port. >> >> iptables -A INPUT -p tcp --dport 389 -j ACCEPT # LDAP >> iptables -A INPUT -p udp --dport 389 -j ACCEPT # LDAP (UDP) >> iptables -A INPUT -p tcp --dport 636 -j ACCEPT # LDAPS >> iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS (TCP) >> iptables -A INPUT -p udp --dport 53 -j ACCEPT # DNS (UDP) >> iptables -A INPUT -p tcp --dport 88 -j ACCEPT # Kerberos (TCP) >> iptables -A INPUT -p udp --dport 88 -j ACCEPT # Kerberos (UDP) >> iptables -A INPUT -p tcp --dport 464 -j ACCEPT # Kerberos Password (TCP) >> iptables -A INPUT -p udp --dport 464 -j ACCEPT # Kerberos Password (UDP) >> iptables -A INPUT -p tcp --dport 135 -j ACCEPT # RPC >> iptables -A INPUT -p udp --dport 137 -j ACCEPT # NetBIOS Name Service >> iptables -A INPUT -p udp --dport 138 -j ACCEPT # NetBIOS Datagram Service >> iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NetBIOS Session Service >> iptables -A INPUT -p tcp --dport 445 -j ACCEPT # MS Directory Service >> iptables -A INPUT -p tcp --dport 3268 -j ACCEPT # MS Global Catalog >> iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # DCOM *note this port is >> not static* >> > Hi Thomas > Thanks. I've now got traffic through to the DC with the firewall > activated. The only thing I'm not sure of is the 1024. I have it set but in > (a few brief) tests, I've not seen wireshark mention it. > Cheers, > Steve > > -- > To unsubscribe from this list go to the following URL and read the > instructions: > https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> > -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
