You can always sniff the network between the client and servers to see which ports traffic is going over. Wireshark can do this or your firewall admin may be able to grab a trace. It's ugly, but it will tell you every port used (even ephemeral ones).
=G= On Wed, Mar 14, 2018 at 4:34 PM, Roger Mårtensson < [email protected]> wrote: > Hi! > > Den 2018-03-14 kl. 18:26, skrev Simo Sorce: > >> On Wed, 2018-03-14 at 18:01 +0100, Roger Mårtensson wrote: >> >>> Hello! >>> >>> Got tasked to look at firewall rules and am now wondering if there is a >>> document anywhere that describes the ports and protocols used by SSSD? >>> >>> My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636 >>> (tcp) and 3268 (tcp) and 3269 (tcp) >>> >>> If I search on "Windows Client" and ports I get tons of ports and >>> port-ranges I may need to open. But what do SSSD use? >>> >> It really depends on what backend you are using. >> > > Sorry about that. I'm using the AD backend with kerberos (GSSAPI) against > an Active Directory. (2008R2 at the moment. Hope 2016+ have added more > ports) > > for AD you won't need 636(tcp) but you will need 389 (udp) for site >> discovery and 445 (tcp) if you use GPOs >> >> If you use a plain LDAP server then you won't need 3268/3269 >> >> For password changes if you use kerberos (including AD) you will need >> 464(tcp) >> > Everything is so much simpler when not using a firewall but then you have > to deal with the drawbacks. > Wish there was an popular API that services like this could use to > announce ports used or propose rules. > > If you use one of the pam passwthrough modules you may need othere >> things (like NIS ports etc... ) >> >> Simo. >> >> _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
