You can always sniff the network between the client and servers to see
which ports traffic is going over. Wireshark can do this or your firewall
admin may be able to grab a trace. It's ugly, but it will tell you every
port used (even ephemeral ones).
=G=
On Wed, Mar 14, 2018 at 4:34 PM, Roger Mårtensson <
roger.martensson(a)gmail.com> wrote:
Hi!
Den 2018-03-14 kl. 18:26, skrev Simo Sorce:
> On Wed, 2018-03-14 at 18:01 +0100, Roger Mårtensson wrote:
>
>> Hello!
>>
>> Got tasked to look at firewall rules and am now wondering if there is a
>> document anywhere that describes the ports and protocols used by SSSD?
>>
>> My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636
>> (tcp) and 3268 (tcp) and 3269 (tcp)
>>
>> If I search on "Windows Client" and ports I get tons of ports and
>> port-ranges I may need to open. But what do SSSD use?
>>
> It really depends on what backend you are using.
>
Sorry about that. I'm using the AD backend with kerberos (GSSAPI) against
an Active Directory. (2008R2 at the moment. Hope 2016+ have added more
ports)
for AD you won't need 636(tcp) but you will need 389 (udp) for site
> discovery and 445 (tcp) if you use GPOs
>
> If you use a plain LDAP server then you won't need 3268/3269
>
> For password changes if you use kerberos (including AD) you will need
> 464(tcp)
>
Everything is so much simpler when not using a firewall but then you have
to deal with the drawbacks.
Wish there was an popular API that services like this could use to
announce ports used or propose rules.
If you use one of the pam passwthrough modules you may need othere
> things (like NIS ports etc... )
>
> Simo.
>
> _______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org