Linda A. Walsh
2012-Aug-19 05:09 UTC
[Samba] Samba4: The mit list insist that file server and DC must be one and the same
steve wrote:> > My only remaining question is that to open port 22 on the file server, > I've had to open all the other ports otherwise I could not kinit or > anything else. Could you/is there a list of ports which need to be > open for a S3 fileserver which is also a nfs server to be able to > communicate to the rest of the LAN without all ports being opened? > > As we have Kerbeors at both ends maybe it would be better to ssh using > that?--- 1) Define "Better" (less work for which people?, faster operation? easier to manage? But with my idea of better for my usage, whichever works both 'fast' and reliably, is easiest to put in place, and requires least overall maintenance in the long run, would be considerations -- though for prototyping, whatever is easiest/fastest to put in place that does the job. So sounds like kinit (I'm not a Kerb-familiar person) is a kerb thing so it probably uses a standard port. Grepping through my '/etc/services I see several ports for Kerboros usage -- perhaps kinit or a kerb manual documents what is needed? Either that, or look at what ports are 'owned' by your krb servers -- use netstat as root with "-p" and for each open port it will show you what prog is using it -- so you can come up with a list for ports that the server(s) are listening on -- now whether or not all of those are needed for your particular task is another matter (wireshark can narrow things down if you really want that level of granularity). Pretty much similar advice for SMB/CIFS -- cept that the likely answer there is port 445. From your setup I'd think NETBIOS ports 137-139 wouldn't be needed, but depends on which tools & options you are using (and network layout). If you wanted to be real security conscious -- you could forward 445 over ssh, Netbios uses datagrams which I don't think forward easily over ssh, but if you wanted, you could even setup a VPN connection over SSH and all the ports would be forwarded through SSH. Depends on your security needs and where you are most comfortable doing the work (as it can likely be done in multiple ways) --- none of which can be defined as "BEST", except under very specific circumstances...