[Samba] Samba4 and iptables
Hi everyone, I had posted recently about getting Samba4 to work on CentOS 6.4 but having changes only replicating in one direction, from the Win2k3 AD but not back to it. I solved the problem, this time, by disabling iptables. I find it a bit hard to understand. These are the rules I have set up: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:5888] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -m udp -p udp --dport 53 -m comment --comment DNS -j ACCEPT -A INPUT -m udp -p udp --dport 123 -m comment --comment NTP -j ACCEPT -A INPUT -m udp -p udp --dport 135 -m comment --comment RPC UDP -j ACCEPT -A INPUT -m udp -p udp --dport 389 -m comment --comment LDAP UDP -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment Kerberos -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment Kerberos Password Management -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment SMB CIFS -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment LDAP TCP -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment LDAP SSL -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment LDAP Global Catalog -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment LDAP Global Catalog SSL -j ACCEPT -A INPUT -p udp -m udp --dport 631 -m comment --comment CUPS -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -m comment --comment CUPS -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Additionally, I used to have -s 10.0.0.0/8 on all of the samba-related ones, but then I couldn't connect to the new DC via the Windows AD Users and Computers tool. Take away -s, and it works. So the above is now what I have, but when iptables is enabled, I get Warning: No NC replicated for Connection! on outbound when I run samba-tool drs showrepl and I get errors like this in Windows Event Viewer: Event Type: Warning Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1925 Date: 2013-08-15 Time: 10:21:27 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: OLDDC Description: The attempt to establish a replication link for the following writable directory partition failed. Directory partition: DC=mydomain,DC=lan Source domain controller: CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan Source domain controller address: fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan Intersite transport (if any): This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: 1722 The RPC server is unavailable. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. - (end quote) Also, the AD Replication Status Viewer tool will say that NEWDC cannot be contacted. Disable iptables, and voila, it starts reporting successful replication. IIUC it's the port 135 that allows RPC contact, which I believe my iptables config above should correctly open. If not, could someone show me where I've gone wrong here? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
On 8/15/2013 10:36 AM, Kevin Field wrote: Hi everyone, I had posted recently about getting Samba4 to work on CentOS 6.4 but having changes only replicating in one direction, from the Win2k3 AD but not back to it. I solved the problem, this time, by disabling iptables. I find it a bit hard to understand. These are the rules I have set up: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:5888] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -m udp -p udp --dport 53 -m comment --comment DNS -j ACCEPT -A INPUT -m udp -p udp --dport 123 -m comment --comment NTP -j ACCEPT -A INPUT -m udp -p udp --dport 135 -m comment --comment RPC UDP -j ACCEPT -A INPUT -m udp -p udp --dport 389 -m comment --comment LDAP UDP -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment Kerberos -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment Kerberos Password Management -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment SMB CIFS -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment LDAP TCP -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment LDAP SSL -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment LDAP Global Catalog -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment LDAP Global Catalog SSL -j ACCEPT -A INPUT -p udp -m udp --dport 631 -m comment --comment CUPS -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -m comment --comment CUPS -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT https://wiki.samba.org/index.php/Configure_your_firewall Are you missing UDP port 137-138 (and possibly a few others) in your IPTables? Also, try looking at the output of the following to check for ports in use: # netstat -taunp | egrep tcp.*LISTEN|udp | egrep samba|smbd One of our internal Samba servers has the following in /etc/sysconfig/iptables. You won't need the NFSCHECK chains unless you are also using NFS. # Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:6932] :NFSCHECK - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3269 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT -A INPUT -j NFSCHECK -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 2049,32803,892,662,111 -m comment --comment TCP for nfs, lockd, mountd, statd, portmap -j ACCEPT -A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 2049,32769,892,662,111 -m comment --comment UDP for nfs, lockd, mountd, statd, portmap -j ACCEPT -A NFSCHECK -j RETURN COMMIT # Completed on Fri May 24 21:51:36 2013 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
Thanks for your help, Thomas. I think it was the missing state part of some of the lines. When I use your example, it replicates, even in both directions this time! Which is quite odd, since without iptables running, I still had problems getting my Samba test user to replicate over to the Windows DC. Also in case it helps anyone else who is not using NetBIOS, even if I cut the NetBIOS ports, it still works fine. Same with SSL ports. So now I have for the main part of it: -A INPUT -m comment --comment DNS -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -m comment --comment DNS -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -m comment --comment Kerberos -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -m comment --comment Kerberos -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -m comment --comment End Point Mapper (DCE/RPC Locator Service) -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -m comment --comment LDAP -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -m comment --comment LDAP -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -m comment --comment SMB -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -m comment --comment Kerberos kpasswd -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -m comment --comment Kerberos kpasswd -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -m comment --comment CUPS -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -m comment --comment CUPS -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -m comment --comment RPC -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -m comment --comment Global Catalog -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT -A INPUT -m comment --comment Multicast DNS -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -m comment --comment Multicast DNS -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT Just tested adding a second user and it replicated immediately. Yay! Thanks again, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
Hello List-Members, I working still on a perfect firewall-configuration for a Samba4-AD, but it seems to be a tricky work. Maybe somebody have any idea about my fail. When I set back the firewall-rules, all is working perfect. The network-devices will be connected and I can work with dsa.msc . But it fails with following rules: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 192.168.0.0/24 192.168.0.2icmp type 8 state NEW ACCEPT all -- 0.0.0.0/00.0.0.0/0 ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:53 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:53 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:88 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:88 state NEW,RELATED,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:123 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:135 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:137 state NEW,RELATED,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:138 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:139 state NEW,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:389 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:389 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:445 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:445 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:464 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpt:464 state NEW,RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpt:636 state NEW,ESTABLISHED ACCEPT tcp -- 192.168.0.0/24 192.168.0.2tcp dpts:1024:65535 state NEW,ESTABLISHED ACCEPT udp -- 192.168.0.0/24 192.168.0.2udp dpts:1024:65535 state NEW,RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/00.0.0.0/0 state NEW,RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/00.0.0.0/0 ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:53 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:53 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:88 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:88 state RELATED,ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:123 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:135 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:137 state RELATED,ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:138 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:139 state ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:389 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:389 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:445 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:445 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:464 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spt:464 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spt:636 state ESTABLISHED ACCEPT tcp -- 192.168.0.2 192.168.0.0/24 tcp spts:1024:65535 state ESTABLISHED ACCEPT udp -- 192.168.0.2 192.168.0.0/24 udp spts:1024:65535 state RELATED,ESTABLISHED I think I have noted all important ports by the documentations. Your will see, that I have opened the ports 1024:65535 for the local network, so I guess, that I have to open a additional port between 1 and 1023 !? Maybe I have a fail with the state-Rules?? If I not set --sport and --dport for the clients, so I believe, that the clients can use the ports 1:65535 ?? Best regards Bert Am 14.02.2011 22:30, schrieb nc-codew...@netcologne.de: ... I found a very interesting thread -
Re: [Samba] Samba4 and iptables
Hello tms3 and list-members, many thanks for your help. I spend a lot of time to configure my firewall. I opened all here http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx listed ports, but at the first time without success. I don't know why, but the port 1024 seems to be very important. I found this port step by step with less and less port-ranges. After I had opened this port I was able to logon the domain. netstat give me following result: ... tcp0 0 0.0.0.0:464 0.0.0.0:* LISTEN 1361/samba ... tcp0 0 192.168.0.1:53 0.0.0.0:* LISTEN 1183/named ... tcp0 0 0.0.0.0:88 0.0.0.0:* LISTEN 1361/samba ... tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1183/named tcp0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1343/samba ... tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 1346/samba tcp0 0 0.0.0.0:32680.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:135 0.0.0.0:* LISTEN 1346/samba tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1343/samba I tested this with one winxp-client and tomorrow I will start a test with more clients. I hope this will somebody help to make the server a litte bit more secured. Regards Bert Am 10.02.2011 15:53, schrieb t...@tms3.com: Hello everybody, I have a running an installation of Samba4 as AD. All is working fine, but when I start the firewall, the clients have problems to login. By my firewall-rules from the past, I had opened the ports 137:139 and 445 for samba and new for bind the port 53. Kerberos is on port 88 LDAP is on 339 636 Here is a list of AD port requirements and their uses. http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx The clients (WinXP) seems to have problems to read and write from/to the home directories. Maybe samba4 need additional or other ports to working fine? Here my current iptables-rules: IPTABLES=/sbin/iptables #Bind $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT; #Samba $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables --list ACCEPT tcp -- anywhere anywhere tcp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:microsoft-ds state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-ds state RELATED,ESTABLISHED Note! I have the profiles configured with server-copies from the home-directorys! That's the reason for the necessary read-/write-possibility. When I login with a client, so the client look for the server-home-directory. When a client logout, the client synchronizes the local-home-directory to the ad-server. Without the running firewall on the AD it's work perfect. With the runnig firewall I get the message on login, that the client can't read the home-directory and when I logout, that the client can't synchronize the home-directory. The domain-login is always successful. Thanks in advance! Bert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
Hello tms3 and list-members, many thanks for your help. I spend a lot of time to configure my firewall. I opened all here http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx listed ports, but at the first time without success. I don't know why, but the port 1024 That's a DCOM port. I wouldn't have thought that one was necessary. Maybe a question as to why on technical is in order. seems to be very important. I found this port step by step with less and less port-ranges. After I had opened this port I was able to logon the domain. netstat give me following result: ... tcp0 0 0.0.0.0:464 0.0.0.0:* LISTEN 1361/samba ... tcp0 0 192.168.0.1:53 0.0.0.0:* LISTEN 1183/named ... tcp0 0 0.0.0.0:88 0.0.0.0:* LISTEN 1361/samba ... tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1183/named tcp0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1343/samba ... tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 1346/samba tcp0 0 0.0.0.0:32680.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:135 0.0.0.0:* LISTEN 1346/samba tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1343/samba I tested this with one winxp-client and tomorrow I will start a test with more clients. I hope this will somebody help to make the server a litte bit more secured. Regards Bert Am 10.02.2011 15:53, schrieb t...@tms3.com: Hello everybody, I have a running an installation of Samba4 as AD. All is working fine, but when I start the firewall, the clients have problems to login. By my firewall-rules from the past, I had opened the ports 137:139 and 445 for samba and new for bind the port 53. Kerberos is on port 88 LDAP is on 339 636 Here is a list of AD port requirements and their uses. http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx The clients (WinXP) seems to have problems to read and write from/to the home directories. Maybe samba4 need additional or other ports to working fine? Here my current iptables-rules: IPTABLES=/sbin/iptables #Bind $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT; #Samba $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables --list ACCEPT tcp -- anywhere anywhere tcp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:microsoft-ds state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-ds state RELATED,ESTABLISHED Note! I have the profiles configured with server-copies from the home-directorys! That's the reason for the necessary read-/write-possibility. When I login with a client, so the client look for the server-home-directory. When a client logout, the client synchronizes the local-home-directory to the ad-server. Without the running firewall on the AD it's work perfect. With the runnig firewall I get the message on login, that the client can't read the home-directory and when I logout, that the client can't synchronize the home-directory. The domain-login is always successful. Thanks in advance! Bert -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Samba4 and iptables
... I found a very interesting thread - http://art.ubuntuforums.org/showthread.php?p=9599313 Regards Bert Am 14.02.2011 22:05, schrieb t...@tms3.com: Hello tms3 and list-members, many thanks for your help. I spend a lot of time to configure my firewall. I opened all here http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx listed ports, but at the first time without success. I don't know why, but the port 1024 That's a DCOM port. I wouldn't have thought that one was necessary. Maybe a question as to why on technical is in order. seems to be very important. I found this port step by step with less and less port-ranges. After I had opened this port I was able to logon the domain. netstat give me following result: ... tcp0 0 0.0.0.0:464 0.0.0.0:* LISTEN 1361/samba ... tcp0 0 192.168.0.1:53 0.0.0.0:* LISTEN 1183/named ... tcp0 0 0.0.0.0:88 0.0.0.0:* LISTEN 1361/samba ... tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1183/named tcp0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1343/samba ... tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 1346/samba tcp0 0 0.0.0.0:32680.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1356/samba tcp0 0 0.0.0.0:135 0.0.0.0:* LISTEN 1346/samba tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1343/samba I tested this with one winxp-client and tomorrow I will start a test with more clients. I hope this will somebody help to make the server a litte bit more secured. Regards Bert Am 10.02.2011 15:53, schrieb t...@tms3.com: Hello everybody, I have a running an installation of Samba4 as AD. All is working fine, but when I start the firewall, the clients have problems to login. By my firewall-rules from the past, I had opened the ports 137:139 and 445 for samba and new for bind the port 53. Kerberos is on port 88 LDAP is on 339 636 Here is a list of AD port requirements and their uses. http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx The clients (WinXP) seems to have problems to read and write from/to the home directories. Maybe samba4 need additional or other ports to working fine? Here my current iptables-rules: IPTABLES=/sbin/iptables #Bind $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT; #Samba $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables --list ACCEPT tcp -- anywhere anywhere tcp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:microsoft-ds state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-ds state RELATED,ESTABLISHED Note! I have the profiles configured with server-copies from the home-directorys! That's the reason for the necessary read-/write-possibility. When I login with a client, so the client look for the server-home-directory. When a client logout,
[Samba] Samba4 and iptables
Hello everybody, I have a running an installation of Samba4 as AD. All is working fine, but when I start the firewall, the clients have problems to login. By my firewall-rules from the past, I had opened the ports 137:139 and 445 for samba and new for bind the port 53. The clients (WinXP) seems to have problems to read and write from/to the home directories. Maybe samba4 need additional or other ports to working fine? Here my current iptables-rules: IPTABLES=/sbin/iptables #Bind $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT; #Samba $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables --list ACCEPT tcp -- anywhere anywheretcp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhereudp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhereudp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywheretcp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhereudp spt:microsoft-ds state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywheretcp spt:microsoft-ds state RELATED,ESTABLISHED Note! I have the profiles configured with server-copies from the home-directorys! That's the reason for the necessary read-/write-possibility. When I login with a client, so the client look for the server-home-directory. When a client logout, the client synchronizes the local-home-directory to the ad-server. Without the running firewall on the AD it's work perfect. With the runnig firewall I get the message on login, that the client can't read the home-directory and when I logout, that the client can't synchronize the home-directory. The domain-login is always successful. Thanks in advance! Bert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
Hello everybody, I have a running an installation of Samba4 as AD. All is working fine, but when I start the firewall, the clients have problems to login. By my firewall-rules from the past, I had opened the ports 137:139 and 445 for samba and new for bind the port 53. Kerberos is on port 88 LDAP is on 339 636 Here is a list of AD port requirements and their uses. http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx The clients (WinXP) seems to have problems to read and write from/to the home directories. Maybe samba4 need additional or other ports to working fine? Here my current iptables-rules: IPTABLES=/sbin/iptables #Bind $IPTABLES -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT; #Samba $IPTABLES -A INPUT -p udp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 137:139 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p udp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p udp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A INPUT -p tcp --dport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; $IPTABLES -A OUTPUT -p tcp --sport 445 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables --list ACCEPT tcp -- anywhere anywheretcp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhereudp spt:domain state ESTABLISHED ACCEPT udp -- anywhere anywhereudp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywheretcp spts:netbios-ns:netbios-ssn state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhereudp spt:microsoft-ds state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywheretcp spt:microsoft-ds state RELATED,ESTABLISHED Note! I have the profiles configured with server-copies from the home-directorys! That's the reason for the necessary read-/write-possibility. When I login with a client, so the client look for the server-home-directory. When a client logout, the client synchronizes the local-home-directory to the ad-server. Without the running firewall on the AD it's work perfect. With the runnig firewall I get the message on login, that the client can't read the home-directory and when I logout, that the client can't synchronize the home-directory. The domain-login is always successful. Thanks in advance! Bert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba