subject:"Re\: \[Freeipa\-devel\] \[PATCH 0060\] Incomplete ports for IPA AD Trust"

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-11-05 Thread Tomas Babej



On 10/31/2015 11:38 AM, Alexander Bokovoy wrote:
> On Fri, 30 Oct 2015, Gabe Alford wrote:
>> Okay. Added the port range to ipa-adtrust-install and updated the man
>> page
>> to reflect firewall requirements.
>> The firewall section seems a little rough, so let me know what you
>> think it
>> would need to be smoothed over (if anything).
> Thanks, this is a good start. I'm sure we can improve it later, when
> Samba adds configurable setup for the ports.
> 
> ACK

Pushed to master: a566657f9d73a01b08017d251c4a0776d46265e2
Pushed to ipa-4-2: e76e86656ae5c8f5e59a340e1ab4f9d107af7916

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-31 Thread Alexander Bokovoy


On Fri, 30 Oct 2015, Gabe Alford wrote:

Okay. Added the port range to ipa-adtrust-install and updated the man page
to reflect firewall requirements.
The firewall section seems a little rough, so let me know what you think it
would need to be smoothed over (if anything).

Thanks, this is a good start. I'm sure we can improve it later, when
Samba adds configurable setup for the ports.

ACK
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Alexander Bokovoy


On Thu, 29 Oct 2015, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5414

Thanks,

Gabe



From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:28:27 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

https://fedorahosted.org/freeipa/ticket/5414
---
install/tools/ipa-adtrust-install | 1 +
1 file changed, 1 insertion(+)

diff --git a/install/tools/ipa-adtrust-install 
b/install/tools/ipa-adtrust-install
index 
1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,6 +472,7 @@ Setup complete

You must make sure these network ports are open:
\tTCP Ports:
+\t  * 135: epmap
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 445: microsoft-ds

This is good but not complete. What end-point mapper does is creating a
listener based on the incoming request and access to the listener needs
to be provided as well. A listener is created currently in the range of
1024..1300/TCP but we already have request to make this range
configurable (it is hard coded right now in Samba code) because with
Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
https://support.microsoft.com/en-us/kb/929851

We were thinking to add a call out hook on Samba side to call
firewall-related script that could do hole punching on demand but it is
not there yet.

What we could do in ipa-adtrust-install, is to add section about TCP/UDP
ports to the manual page and explicitly reference that one in case of
epmap line:
\t  *135: epmap (see ipa-adtrust-install(1) man page for details)

We don't have the firewall section in the manpage at all, btw.

What do you think?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Petr Spacek

On 30.10.2015 07:54, Alexander Bokovoy wrote:
> On Thu, 29 Oct 2015, Gabe Alford wrote:
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5414
>>
>> Thanks,
>>
>> Gabe
> 
>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>> From: Gabe 
>> Date: Thu, 29 Oct 2015 20:28:27 -0600
>> Subject: [PATCH] Incomplete ports for IPA AD Trust
>>
>> https://fedorahosted.org/freeipa/ticket/5414
>> ---
>> install/tools/ipa-adtrust-install | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/install/tools/ipa-adtrust-install
>> b/install/tools/ipa-adtrust-install
>> index
>> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
>> 100755
>> --- a/install/tools/ipa-adtrust-install
>> +++ b/install/tools/ipa-adtrust-install
>> @@ -472,6 +472,7 @@ Setup complete
>>
>> You must make sure these network ports are open:
>> \tTCP Ports:
>> +\t  * 135: epmap
>> \t  * 138: netbios-dgm
>> \t  * 139: netbios-ssn
>> \t  * 445: microsoft-ds
> This is good but not complete. What end-point mapper does is creating a
> listener based on the incoming request and access to the listener needs
> to be provided as well. A listener is created currently in the range of
> 1024..1300/TCP but we already have request to make this range
> configurable (it is hard coded right now in Samba code) because with
> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> https://support.microsoft.com/en-us/kb/929851
> 
> We were thinking to add a call out hook on Samba side to call
> firewall-related script that could do hole punching on demand but it is
> not there yet.
> 
> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
> ports to the manual page and explicitly reference that one in case of
> epmap line:
> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> 
> We don't have the firewall section in the manpage at all, btw.
> 
> What do you think?

Maybe I'm missing something, but ... Could we simply put current range
1024..1300/TCP to the installer now and do other changes as Samba evolves? I
think that it is good enough as a hotfix and that we do not need to
over-complicate it in the beginning.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Alexander Bokovoy


On Fri, 30 Oct 2015, Petr Spacek wrote:

On 30.10.2015 07:54, Alexander Bokovoy wrote:

On Thu, 29 Oct 2015, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5414

Thanks,

Gabe



From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:28:27 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

https://fedorahosted.org/freeipa/ticket/5414
---
install/tools/ipa-adtrust-install | 1 +
1 file changed, 1 insertion(+)

diff --git a/install/tools/ipa-adtrust-install
b/install/tools/ipa-adtrust-install
index
1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,6 +472,7 @@ Setup complete

You must make sure these network ports are open:
\tTCP Ports:
+\t  * 135: epmap
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 445: microsoft-ds

This is good but not complete. What end-point mapper does is creating a
listener based on the incoming request and access to the listener needs
to be provided as well. A listener is created currently in the range of
1024..1300/TCP but we already have request to make this range
configurable (it is hard coded right now in Samba code) because with
Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
https://support.microsoft.com/en-us/kb/929851

We were thinking to add a call out hook on Samba side to call
firewall-related script that could do hole punching on demand but it is
not there yet.

What we could do in ipa-adtrust-install, is to add section about TCP/UDP
ports to the manual page and explicitly reference that one in case of
epmap line:
\t  *135: epmap (see ipa-adtrust-install(1) man page for details)

We don't have the firewall section in the manpage at all, btw.

What do you think?


Maybe I'm missing something, but ... Could we simply put current range
1024..1300/TCP to the installer now and do other changes as Samba evolves? I
think that it is good enough as a hotfix and that we do not need to
over-complicate it in the beginning.

That's essentially what I said too -- but I want to have firewall
requirements documented in the manpage so that they are available
beforehand _and_ people actually read them when they are referenced in
the output.

I'm not asking for anything else here. Documentation is needed.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Petr Spacek

On 30.10.2015 11:10, Alexander Bokovoy wrote:
> On Fri, 30 Oct 2015, Petr Spacek wrote:
>> On 30.10.2015 07:54, Alexander Bokovoy wrote:
>>> On Thu, 29 Oct 2015, Gabe Alford wrote:
 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/5414

 Thanks,

 Gabe
>>>
 From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
 From: Gabe 
 Date: Thu, 29 Oct 2015 20:28:27 -0600
 Subject: [PATCH] Incomplete ports for IPA AD Trust

 https://fedorahosted.org/freeipa/ticket/5414
 ---
 install/tools/ipa-adtrust-install | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/install/tools/ipa-adtrust-install
 b/install/tools/ipa-adtrust-install
 index
 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7

 100755
 --- a/install/tools/ipa-adtrust-install
 +++ b/install/tools/ipa-adtrust-install
 @@ -472,6 +472,7 @@ Setup complete

 You must make sure these network ports are open:
 \tTCP Ports:
 +\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
>>> This is good but not complete. What end-point mapper does is creating a
>>> listener based on the incoming request and access to the listener needs
>>> to be provided as well. A listener is created currently in the range of
>>> 1024..1300/TCP but we already have request to make this range
>>> configurable (it is hard coded right now in Samba code) because with
>>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
>>> https://support.microsoft.com/en-us/kb/929851
>>>
>>> We were thinking to add a call out hook on Samba side to call
>>> firewall-related script that could do hole punching on demand but it is
>>> not there yet.
>>>
>>> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
>>> ports to the manual page and explicitly reference that one in case of
>>> epmap line:
>>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
>>>
>>> We don't have the firewall section in the manpage at all, btw.
>>>
>>> What do you think?
>>
>> Maybe I'm missing something, but ... Could we simply put current range
>> 1024..1300/TCP to the installer now and do other changes as Samba evolves? I
>> think that it is good enough as a hotfix and that we do not need to
>> over-complicate it in the beginning.
> That's essentially what I said too -- but I want to have firewall
> requirements documented in the manpage so that they are available
> beforehand _and_ people actually read them when they are referenced in
> the output.
> 
> I'm not asking for anything else here. Documentation is needed.

Thanks for clarification, I was under the impression that you wanted to put it
only into the man page :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Gabe Alford

Okay. Added the port range to ipa-adtrust-install and updated the man page
to reflect firewall requirements.
The firewall section seems a little rough, so let me know what you think it
would need to be smoothed over (if anything).

thanks,

Gabe

On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek  wrote:

> On 30.10.2015 11:10, Alexander Bokovoy wrote:
> > On Fri, 30 Oct 2015, Petr Spacek wrote:
> >> On 30.10.2015 07:54, Alexander Bokovoy wrote:
> >>> On Thu, 29 Oct 2015, Gabe Alford wrote:
>  Hello,
> 
>  Fix for https://fedorahosted.org/freeipa/ticket/5414
> 
>  Thanks,
> 
>  Gabe
> >>>
>  From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>  From: Gabe 
>  Date: Thu, 29 Oct 2015 20:28:27 -0600
>  Subject: [PATCH] Incomplete ports for IPA AD Trust
> 
>  https://fedorahosted.org/freeipa/ticket/5414
>  ---
>  install/tools/ipa-adtrust-install | 1 +
>  1 file changed, 1 insertion(+)
> 
>  diff --git a/install/tools/ipa-adtrust-install
>  b/install/tools/ipa-adtrust-install
>  index
> 
> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
> 
>  100755
>  --- a/install/tools/ipa-adtrust-install
>  +++ b/install/tools/ipa-adtrust-install
>  @@ -472,6 +472,7 @@ Setup complete
> 
>  You must make sure these network ports are open:
>  \tTCP Ports:
>  +\t  * 135: epmap
>  \t  * 138: netbios-dgm
>  \t  * 139: netbios-ssn
>  \t  * 445: microsoft-ds
> >>> This is good but not complete. What end-point mapper does is creating a
> >>> listener based on the incoming request and access to the listener needs
> >>> to be provided as well. A listener is created currently in the range of
> >>> 1024..1300/TCP but we already have request to make this range
> >>> configurable (it is hard coded right now in Samba code) because with
> >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> >>> https://support.microsoft.com/en-us/kb/929851
> >>>
> >>> We were thinking to add a call out hook on Samba side to call
> >>> firewall-related script that could do hole punching on demand but it is
> >>> not there yet.
> >>>
> >>> What we could do in ipa-adtrust-install, is to add section about
> TCP/UDP
> >>> ports to the manual page and explicitly reference that one in case of
> >>> epmap line:
> >>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> >>>
> >>> We don't have the firewall section in the manpage at all, btw.
> >>>
> >>> What do you think?
> >>
> >> Maybe I'm missing something, but ... Could we simply put current range
> >> 1024..1300/TCP to the installer now and do other changes as Samba
> evolves? I
> >> think that it is good enough as a hotfix and that we do not need to
> >> over-complicate it in the beginning.
> > That's essentially what I said too -- but I want to have firewall
> > requirements documented in the manpage so that they are available
> > beforehand _and_ people actually read them when they are referenced in
> > the output.
> >
> > I'm not asking for anything else here. Documentation is needed.
>
> Thanks for clarification, I was under the impression that you wanted to
> put it
> only into the man page :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 30 Oct 2015 09:11:00 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

- Add subsection to ipa-adtrust-install man page
- Update port information in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/5414
---
 install/tools/ipa-adtrust-install   |  4 
 install/tools/man/ipa-adtrust-install.1 | 25 +
 2 files changed, 29 insertions(+)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..ff69d69e2c11ce08b8b648a5a78777c472da2ac9 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,15 +472,19 @@ Setup complete
 
 You must make sure these network ports are open:
 \tTCP Ports:
+\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
+\t  * 1024..1300: epmap listener range
 \tUDP Ports:
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 389: (C)LDAP
 \t  * 445: microsoft-ds
 
+See the ipa-adtrust-install(1) man page for more details
+
 =
 """)
 if admin_password:
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 06378b5983e55bb6c34971b0f5129246f9f14fd3..36c468336909c705c68a2794dec699f3f05579d9 100644
---

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

7 matches

Site Navigation

Mail list logo

Footer information