[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

[Alexander Bokovoy]

On Thu, 29 Oct 2015, Gabe Alford wrote:
>Hello,
>
>Fix for https://fedorahosted.org/freeipa/ticket/5414
>
>Thanks,
>
>Gabe

>From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>From: Gabe <redhatrises at gmail.com>
>Date: Thu, 29 Oct 2015 20:28:27 -0600
>Subject: [PATCH] Incomplete ports for IPA AD Trust
>
>https://fedorahosted.org/freeipa/ticket/5414
>---
> install/tools/ipa-adtrust-install | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
>index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755
>--- a/install/tools/ipa-adtrust-install
>+++ b/install/tools/ipa-adtrust-install
>@@ -472,6 +472,7 @@ Setup complete
> 
> You must make sure these network ports are open:
> \tTCP Ports:
>+\t  * 135: epmap
> \t  * 138: netbios-dgm
> \t  * 139: netbios-ssn
> \t  * 445: microsoft-ds
This is good but not complete. What end-point mapper does is creating a
listener based on the incoming request and access to the listener needs
to be provided as well. A listener is created currently in the range of
1024..1300/TCP but we already have request to make this range
configurable (it is hard coded right now in Samba code) because with
Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
https://support.microsoft.com/en-us/kb/929851

We were thinking to add a call out hook on Samba side to call
firewall-related script that could do hole punching on demand but it is
not there yet.

What we could do in ipa-adtrust-install, is to add section about TCP/UDP
ports to the manual page and explicitly reference that one in case of
epmap line:
\t  *135: epmap (see ipa-adtrust-install(1) man page for details)

We don't have the firewall section in the manpage at all, btw.

What do you think?
-- 
/ Alexander Bokovoy