Hi everyone, I had posted recently about getting Samba4 to work on CentOS 6.4 but having changes only replicating in one direction, from the Win2k3 AD but not back to it. I solved the problem, this time, by disabling iptables. I find it a bit hard to understand. These are the rules I have set up: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:5888] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT -A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT -A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT -A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment "Kerberos" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment "Kerberos Password Management" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment "SMB CIFS" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment "LDAP TCP" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment "LDAP SSL" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment "LDAP Global Catalog" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment "LDAP Global Catalog SSL" -j ACCEPT -A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Additionally, I used to have -s 10.0.0.0/8 on all of the samba-related ones, but then I couldn't connect to the new DC via the Windows AD Users and Computers tool. Take away -s, and it works. So the above is now what I have, but when iptables is enabled, I get "Warning: No NC replicated for Connection!" on outbound when I run "samba-tool drs showrepl" and I get errors like this in Windows Event Viewer: Event Type: Warning Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1925 Date: 2013-08-15 Time: 10:21:27 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: OLDDC Description: The attempt to establish a replication link for the following writable directory partition failed. Directory partition: DC=mydomain,DC=lan Source domain controller: CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan Source domain controller address: fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan Intersite transport (if any): This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: 1722 The RPC server is unavailable. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ------------- (end quote) Also, the AD Replication Status Viewer tool will say that NEWDC cannot be contacted. Disable iptables, and voila, it starts reporting successful replication. IIUC it's the port 135 that allows RPC contact, which I believe my iptables config above should correctly open. If not, could someone show me where I've gone wrong here? Thanks, Kev
On 8/15/2013 10:36 AM, Kevin Field wrote:> Hi everyone, > > I had posted recently about getting Samba4 to work on CentOS 6.4 but > having changes only replicating in one direction, from the Win2k3 AD but > not back to it. I solved the problem, this time, by disabling iptables. > I find it a bit hard to understand. These are the rules I have set up: > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [52:5888] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT > -A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT > -A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT > -A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j > ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment > --comment "Kerberos" -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment > --comment "Kerberos Password Management" -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment > --comment "SMB CIFS" -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment > --comment "LDAP TCP" -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment > --comment "LDAP SSL" -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment > --comment "LDAP Global Catalog" -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment > --comment "LDAP Global Catalog SSL" -j ACCEPT > -A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT > -A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT >https://wiki.samba.org/index.php/Configure_your_firewall Are you missing UDP port 137-138 (and possibly a few others) in your IPTables? Also, try looking at the output of the following to check for ports in use: # netstat -taunp | egrep "tcp.*LISTEN|udp" | egrep "samba|smbd" One of our internal Samba servers has the following in /etc/sysconfig/iptables. You won't need the NFSCHECK chains unless you are also using NFS. # Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:6932] :NFSCHECK - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3269 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT -A INPUT -j NFSCHECK -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -j RETURN COMMIT # Completed on Fri May 24 21:51:36 2013
Thanks for your help, Thomas. I think it was the missing "state" part of some of the lines. When I use your example, it replicates, even in both directions this time! Which is quite odd, since without iptables running, I still had problems getting my Samba test user to replicate over to the Windows DC. Also in case it helps anyone else who is not using NetBIOS, even if I cut the NetBIOS ports, it still works fine. Same with SSL ports. So now I have for the main part of it: -A INPUT -m comment --comment "DNS" -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -m comment --comment "DNS" -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -m comment --comment "Kerberos" -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -m comment --comment "Kerberos" -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -m comment --comment "End Point Mapper (DCE/RPC Locator Service)" -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -m comment --comment "LDAP" -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -m comment --comment "LDAP" -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -m comment --comment "SMB" -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -m comment --comment "Kerberos kpasswd" -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -m comment --comment "Kerberos kpasswd" -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -m comment --comment "CUPS" -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -m comment --comment "CUPS" -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -m comment --comment "RPC" -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -m comment --comment "Global Catalog" -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT -A INPUT -m comment --comment "Multicast DNS" -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -m comment --comment "Multicast DNS" -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT Just tested adding a second user and it replicated immediately. Yay! Thanks again, Kev