Re: [Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?
On 08/04/2014 04:37 PM, Alexander Bokovoy wrote: On Mon, 04 Aug 2014, Mark Heslin wrote: Folks, Does anyone know the current disposition of $subject? The FreeIPA documentation: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration would seem to indicate this is no longer necessary. Is this "official" or should we block just the Win/AD server from these ports? Alexander Bokovoy and I were working together last Friday on a cross-realm Kerberos trust to an AD server (Win2012 R2) and noticed replication was not working because I had tcp/389 and tcp/636 REJECT configured on the IdM servers. After removing the rules everything is working again. Currently, I still have the rules removed but would like to know whether to keep them removed or add them back in but block only the packets from the Win/AD server. Never ever block tcp/389 and tcp/636 between IPA servers or your replication will not work at all. The instruction we show at the end of ipa-adtrust-install is related only to communication with AD DCs for the sake of their sanity as any attempt to use LDAP(S) over TCP against IPA servers will most likely confuse Windows machines due to completely different schema used. LDAP over UDP is required for trusts as connectionless LDAP (CLDAP) is part of discovery protocol that AD machines expect to work. Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not hurt. Good. I can modify the firewalld rules accordingly: ipv4 filter ipa-server-chain 0 --proto tcp --destination-port 389 ! --source {ad-server-ip} --jump ACCEPT ipv4 filter ipa-server-chain 0 --proto tcp --destination-port 636 ! --source {ad-server-ip} --jump ACCEPT Thanks Alexander :-) -m -- Red Hat Reference Architectures Follow Us: https://twitter.com/RedHatRefArch Plus Us: https://plus.google.com/u/0/b/114152126783830728030/ Like Us: https://www.facebook.com/rhrefarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?
On Mon, 04 Aug 2014, Mark Heslin wrote: Folks, Does anyone know the current disposition of $subject? The FreeIPA documentation: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration would seem to indicate this is no longer necessary. Is this "official" or should we block just the Win/AD server from these ports? Alexander Bokovoy and I were working together last Friday on a cross-realm Kerberos trust to an AD server (Win2012 R2) and noticed replication was not working because I had tcp/389 and tcp/636 REJECT configured on the IdM servers. After removing the rules everything is working again. Currently, I still have the rules removed but would like to know whether to keep them removed or add them back in but block only the packets from the Win/AD server. Never ever block tcp/389 and tcp/636 between IPA servers or your replication will not work at all. The instruction we show at the end of ipa-adtrust-install is related only to communication with AD DCs for the sake of their sanity as any attempt to use LDAP(S) over TCP against IPA servers will most likely confuse Windows machines due to completely different schema used. LDAP over UDP is required for trusts as connectionless LDAP (CLDAP) is part of discovery protocol that AD machines expect to work. Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not hurt. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?
Folks, Does anyone know the current disposition of $subject? The FreeIPA documentation: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration would seem to indicate this is no longer necessary. Is this "official" or should we block just the Win/AD server from these ports? Alexander Bokovoy and I were working together last Friday on a cross-realm Kerberos trust to an AD server (Win2012 R2) and noticed replication was not working because I had tcp/389 and tcp/636 REJECT configured on the IdM servers. After removing the rules everything is working again. Currently, I still have the rules removed but would like to know whether to keep them removed or add them back in but block only the packets from the Win/AD server. Thanks, =m -- Red Hat Reference Architectures Follow Us: https://twitter.com/RedHatRefArch Plus Us: https://plus.google.com/u/0/b/114152126783830728030/ Like Us: https://www.facebook.com/rhrefarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project