12:01 p.m.
Hello!
Got tasked to look at firewall rules and am now wondering if there is a
document anywhere that describes the ports and protocols used by SSSD?
My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636
(tcp) and 3268 (tcp) and 3269 (tcp)
If I search on "Windows Client" and ports I get tons of ports and
port-ranges I may need to open. But what do SSSD use?
12:17 p.m.
On (14/03/18 18:01), Roger Mårtensson wrote:
Hello!
Got tasked to look at firewall rules and am now wondering if there is a
document anywhere that describes the ports and protocols used by SSSD?
My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636 (tcp)
and 3268 (tcp) and 3269 (tcp)
ldaps(636) needn't be allowed if you use ldap+start_tls or ldap+gssapi
You might allow also 88(tcp) for kerberos // not just udp
+ also 464 for kpasswd
If I search on "Windows Client" and ports I get tons of
ports and port-ranges
I may need to open. But what do SSSD use?
If you use sssd with AD + GPO for access control then you might need to allow
access remote ports for samba. I assume following one based on SElinux policy
sh# semanage port -l | grep ^smbd_port_t
smbd_port_t tcp 445, 137-139
LS
12:26 p.m.
On Wed, 2018-03-14 at 18:01 +0100, Roger Mårtensson wrote:
Hello!
Got tasked to look at firewall rules and am now wondering if there is a
document anywhere that describes the ports and protocols used by SSSD?
My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636
(tcp) and 3268 (tcp) and 3269 (tcp)
If I search on "Windows Client" and ports I get tons of ports and
port-ranges I may need to open. But what do SSSD use?
It really depends on what backend you are using.
for AD you won't need 636(tcp) but you will need 389 (udp) for site
discovery and 445 (tcp) if you use GPOs
If you use a plain LDAP server then you won't need 3268/3269
For password changes if you use kerberos (including AD) you will need
464(tcp)
If you use one of the pam passwthrough modules you may need othere
things (like NIS ports etc... )
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
3:34 p.m.
Hi!
Den 2018-03-14 kl. 18:26, skrev Simo Sorce:
On Wed, 2018-03-14 at 18:01 +0100, Roger Mårtensson wrote:
> Hello!
>
> Got tasked to look at firewall rules and am now wondering if there is a
> document anywhere that describes the ports and protocols used by SSSD?
>
> My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636
> (tcp) and 3268 (tcp) and 3269 (tcp)
>
> If I search on "Windows Client" and ports I get tons of ports and
> port-ranges I may need to open. But what do SSSD use?
It really depends on what backend you are using.
Sorry about that. I'm using the AD backend with kerberos (GSSAPI)
against an Active Directory. (2008R2 at the moment. Hope 2016+ have
added more ports)
for AD you won't need 636(tcp) but you will need 389 (udp) for
site
discovery and 445 (tcp) if you use GPOs
If you use a plain LDAP server then you won't need 3268/3269
For password changes if you use kerberos (including AD) you will need
464(tcp)
Everything is so much simpler when not using a firewall but then you
have to deal with the drawbacks.
Wish there was an popular API that services like this could use to
announce ports used or propose rules.
If you use one of the pam passwthrough modules you may need othere
things (like NIS ports etc... )
Simo.
5:18 p.m.
You can always sniff the network between the client and servers to see
which ports traffic is going over. Wireshark can do this or your firewall
admin may be able to grab a trace. It's ugly, but it will tell you every
port used (even ephemeral ones).
=G=
On Wed, Mar 14, 2018 at 4:34 PM, Roger Mårtensson <
roger.martensson(a)gmail.com> wrote:
Hi!
Den 2018-03-14 kl. 18:26, skrev Simo Sorce:
> On Wed, 2018-03-14 at 18:01 +0100, Roger Mårtensson wrote:
>
>> Hello!
>>
>> Got tasked to look at firewall rules and am now wondering if there is a
>> document anywhere that describes the ports and protocols used by SSSD?
>>
>> My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636
>> (tcp) and 3268 (tcp) and 3269 (tcp)
>>
>> If I search on "Windows Client" and ports I get tons of ports and
>> port-ranges I may need to open. But what do SSSD use?
>>
> It really depends on what backend you are using.
>
Sorry about that. I'm using the AD backend with kerberos (GSSAPI) against
an Active Directory. (2008R2 at the moment. Hope 2016+ have added more
ports)
for AD you won't need 636(tcp) but you will need 389 (udp) for site
> discovery and 445 (tcp) if you use GPOs
>
> If you use a plain LDAP server then you won't need 3268/3269
>
> For password changes if you use kerberos (including AD) you will need
> 464(tcp)
>
Everything is so much simpler when not using a firewall but then you have
to deal with the drawbacks.
Wish there was an popular API that services like this could use to
announce ports used or propose rules.
If you use one of the pam passwthrough modules you may need othere
> things (like NIS ports etc... )
>
> Simo.
>
> _______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
2228
days inactive
2228
days old
sssd-users@lists.fedorahosted.org
4 comments
4 participants
participants (4)
-
Galen Johnson -
Lukas Slebodnik -
Roger Mårtensson -
Simo Sorce