[Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 4 20:37:44 UTC 2014
On Mon, 04 Aug 2014, Mark Heslin wrote:
>Folks,
>
>Does anyone know the current disposition of $subject? The FreeIPA
>documentation:
>
>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration
>
>would seem to indicate this is no longer necessary. Is this "official"
>or should we block
>just the Win/AD server from these ports?
>
>Alexander Bokovoy and I were working together last Friday on a
>cross-realm Kerberos trust
>to an AD server (Win2012 R2) and noticed replication was not working
>because I had
>tcp/389 and tcp/636 REJECT configured on the IdM servers. After
>removing the rules
>everything is working again.
>
>Currently, I still have the rules removed but would like to know
>whether to keep them removed
>or add them back in but block only the packets from the Win/AD server.
Never ever block tcp/389 and tcp/636 between IPA servers or your
replication will not work at all. The instruction we show at the end of
ipa-adtrust-install is related only to communication with AD DCs for
the sake of their sanity as any attempt to use LDAP(S) over TCP against
IPA servers will most likely confuse Windows machines due to completely
different schema used. LDAP over UDP is required for trusts as
connectionless LDAP (CLDAP) is part of discovery protocol that AD
machines expect to work.
Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not
hurt.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list