Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On 10/31/2015 11:38 AM, Alexander Bokovoy wrote: > On Fri, 30 Oct 2015, Gabe Alford wrote: >> Okay. Added the port range to ipa-adtrust-install and updated the man >> page >> to reflect firewall requirements. >> The firewall section seems a little rough, so let me know what you >> think it >> would need to be smoothed over (if anything). > Thanks, this is a good start. I'm sure we can improve it later, when > Samba adds configurable setup for the ports. > > ACK Pushed to master: a566657f9d73a01b08017d251c4a0776d46265e2 Pushed to ipa-4-2: e76e86656ae5c8f5e59a340e1ab4f9d107af7916 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On Fri, 30 Oct 2015, Gabe Alford wrote: Okay. Added the port range to ipa-adtrust-install and updated the man page to reflect firewall requirements. The firewall section seems a little rough, so let me know what you think it would need to be smoothed over (if anything). Thanks, this is a good start. I'm sure we can improve it later, when Samba adds configurable setup for the ports. ACK -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds This is good but not complete. What end-point mapper does is creating a listener based on the incoming request and access to the listener needs to be provided as well. A listener is created currently in the range of 1024..1300/TCP but we already have request to make this range configurable (it is hard coded right now in Samba code) because with Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: https://support.microsoft.com/en-us/kb/929851 We were thinking to add a call out hook on Samba side to call firewall-related script that could do hole punching on demand but it is not there yet. What we could do in ipa-adtrust-install, is to add section about TCP/UDP ports to the manual page and explicitly reference that one in case of epmap line: \t *135: epmap (see ipa-adtrust-install(1) man page for details) We don't have the firewall section in the manpage at all, btw. What do you think? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On 30.10.2015 07:54, Alexander Bokovoy wrote: > On Thu, 29 Oct 2015, Gabe Alford wrote: >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/5414 >> >> Thanks, >> >> Gabe > >> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 >> From: Gabe>> Date: Thu, 29 Oct 2015 20:28:27 -0600 >> Subject: [PATCH] Incomplete ports for IPA AD Trust >> >> https://fedorahosted.org/freeipa/ticket/5414 >> --- >> install/tools/ipa-adtrust-install | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/install/tools/ipa-adtrust-install >> b/install/tools/ipa-adtrust-install >> index >> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 >> 100755 >> --- a/install/tools/ipa-adtrust-install >> +++ b/install/tools/ipa-adtrust-install >> @@ -472,6 +472,7 @@ Setup complete >> >> You must make sure these network ports are open: >> \tTCP Ports: >> +\t * 135: epmap >> \t * 138: netbios-dgm >> \t * 139: netbios-ssn >> \t * 445: microsoft-ds > This is good but not complete. What end-point mapper does is creating a > listener based on the incoming request and access to the listener needs > to be provided as well. A listener is created currently in the range of > 1024..1300/TCP but we already have request to make this range > configurable (it is hard coded right now in Samba code) because with > Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: > https://support.microsoft.com/en-us/kb/929851 > > We were thinking to add a call out hook on Samba side to call > firewall-related script that could do hole punching on demand but it is > not there yet. > > What we could do in ipa-adtrust-install, is to add section about TCP/UDP > ports to the manual page and explicitly reference that one in case of > epmap line: > \t *135: epmap (see ipa-adtrust-install(1) man page for details) > > We don't have the firewall section in the manpage at all, btw. > > What do you think? Maybe I'm missing something, but ... Could we simply put current range 1024..1300/TCP to the installer now and do other changes as Samba evolves? I think that it is good enough as a hotfix and that we do not need to over-complicate it in the beginning. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On Fri, 30 Oct 2015, Petr Spacek wrote: On 30.10.2015 07:54, Alexander Bokovoy wrote: On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds This is good but not complete. What end-point mapper does is creating a listener based on the incoming request and access to the listener needs to be provided as well. A listener is created currently in the range of 1024..1300/TCP but we already have request to make this range configurable (it is hard coded right now in Samba code) because with Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: https://support.microsoft.com/en-us/kb/929851 We were thinking to add a call out hook on Samba side to call firewall-related script that could do hole punching on demand but it is not there yet. What we could do in ipa-adtrust-install, is to add section about TCP/UDP ports to the manual page and explicitly reference that one in case of epmap line: \t *135: epmap (see ipa-adtrust-install(1) man page for details) We don't have the firewall section in the manpage at all, btw. What do you think? Maybe I'm missing something, but ... Could we simply put current range 1024..1300/TCP to the installer now and do other changes as Samba evolves? I think that it is good enough as a hotfix and that we do not need to over-complicate it in the beginning. That's essentially what I said too -- but I want to have firewall requirements documented in the manpage so that they are available beforehand _and_ people actually read them when they are referenced in the output. I'm not asking for anything else here. Documentation is needed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On 30.10.2015 11:10, Alexander Bokovoy wrote: > On Fri, 30 Oct 2015, Petr Spacek wrote: >> On 30.10.2015 07:54, Alexander Bokovoy wrote: >>> On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe >>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds >>> This is good but not complete. What end-point mapper does is creating a >>> listener based on the incoming request and access to the listener needs >>> to be provided as well. A listener is created currently in the range of >>> 1024..1300/TCP but we already have request to make this range >>> configurable (it is hard coded right now in Samba code) because with >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: >>> https://support.microsoft.com/en-us/kb/929851 >>> >>> We were thinking to add a call out hook on Samba side to call >>> firewall-related script that could do hole punching on demand but it is >>> not there yet. >>> >>> What we could do in ipa-adtrust-install, is to add section about TCP/UDP >>> ports to the manual page and explicitly reference that one in case of >>> epmap line: >>> \t *135: epmap (see ipa-adtrust-install(1) man page for details) >>> >>> We don't have the firewall section in the manpage at all, btw. >>> >>> What do you think? >> >> Maybe I'm missing something, but ... Could we simply put current range >> 1024..1300/TCP to the installer now and do other changes as Samba evolves? I >> think that it is good enough as a hotfix and that we do not need to >> over-complicate it in the beginning. > That's essentially what I said too -- but I want to have firewall > requirements documented in the manpage so that they are available > beforehand _and_ people actually read them when they are referenced in > the output. > > I'm not asking for anything else here. Documentation is needed. Thanks for clarification, I was under the impression that you wanted to put it only into the man page :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Okay. Added the port range to ipa-adtrust-install and updated the man page to reflect firewall requirements. The firewall section seems a little rough, so let me know what you think it would need to be smoothed over (if anything). thanks, Gabe On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacekwrote: > On 30.10.2015 11:10, Alexander Bokovoy wrote: > > On Fri, 30 Oct 2015, Petr Spacek wrote: > >> On 30.10.2015 07:54, Alexander Bokovoy wrote: > >>> On Thu, 29 Oct 2015, Gabe Alford wrote: > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5414 > > Thanks, > > Gabe > >>> > From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 > From: Gabe > Date: Thu, 29 Oct 2015 20:28:27 -0600 > Subject: [PATCH] Incomplete ports for IPA AD Trust > > https://fedorahosted.org/freeipa/ticket/5414 > --- > install/tools/ipa-adtrust-install | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/install/tools/ipa-adtrust-install > b/install/tools/ipa-adtrust-install > index > > 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 > > 100755 > --- a/install/tools/ipa-adtrust-install > +++ b/install/tools/ipa-adtrust-install > @@ -472,6 +472,7 @@ Setup complete > > You must make sure these network ports are open: > \tTCP Ports: > +\t * 135: epmap > \t * 138: netbios-dgm > \t * 139: netbios-ssn > \t * 445: microsoft-ds > >>> This is good but not complete. What end-point mapper does is creating a > >>> listener based on the incoming request and access to the listener needs > >>> to be provided as well. A listener is created currently in the range of > >>> 1024..1300/TCP but we already have request to make this range > >>> configurable (it is hard coded right now in Samba code) because with > >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: > >>> https://support.microsoft.com/en-us/kb/929851 > >>> > >>> We were thinking to add a call out hook on Samba side to call > >>> firewall-related script that could do hole punching on demand but it is > >>> not there yet. > >>> > >>> What we could do in ipa-adtrust-install, is to add section about > TCP/UDP > >>> ports to the manual page and explicitly reference that one in case of > >>> epmap line: > >>> \t *135: epmap (see ipa-adtrust-install(1) man page for details) > >>> > >>> We don't have the firewall section in the manpage at all, btw. > >>> > >>> What do you think? > >> > >> Maybe I'm missing something, but ... Could we simply put current range > >> 1024..1300/TCP to the installer now and do other changes as Samba > evolves? I > >> think that it is good enough as a hotfix and that we do not need to > >> over-complicate it in the beginning. > > That's essentially what I said too -- but I want to have firewall > > requirements documented in the manpage so that they are available > > beforehand _and_ people actually read them when they are referenced in > > the output. > > > > I'm not asking for anything else here. Documentation is needed. > > Thanks for clarification, I was under the impression that you wanted to > put it > only into the man page :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 30 Oct 2015 09:11:00 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust - Add subsection to ipa-adtrust-install man page - Update port information in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 4 install/tools/man/ipa-adtrust-install.1 | 25 + 2 files changed, 29 insertions(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..ff69d69e2c11ce08b8b648a5a78777c472da2ac9 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,15 +472,19 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds +\t * 1024..1300: epmap listener range \tUDP Ports: \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 389: (C)LDAP \t * 445: microsoft-ds +See the ipa-adtrust-install(1) man page for more details + = """) if admin_password: diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 06378b5983e55bb6c34971b0f5129246f9f14fd3..36c468336909c705c68a2794dec699f3f05579d9 100644 ---