I'm pretty sure that Kerberos uses port 88, but that's just for authentication. Port 445 is used for connecting to shares.
We've been running tests blocking ports. With ports 137 - 139 and 445 blocked for UDP and TCP, the join fails but the computer name is still entered in the AD. With just ports 137 - 139 blocked (445 enabled), the join succeeds and all client share operations seem to function correctly as long as there is no NetBIOS name resolution involved. Hope this helps. Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher R. Hertel Sent: Wednesday, January 22, 2003 1:42 AM To: Andrew Bartlett Cc: [EMAIL PROTECTED] Subject: Re: Auth question. On Wed, Jan 22, 2003 at 05:30:45AM +0000, Andrew Bartlett wrote: > On Tue, Jan 21, 2003 at 09:13:38PM -0600, Christopher R. Hertel wrote: > > I *think* it's a rule that Kerberos authentication is always used > > with > > SMB over TCP (port 445) and that Kerberos is *not* used with SMB over NBT > > (port 139). > > > > Am I wrong? > > I think you are wrong. As far as I know there is no per-port stuff. Quite possibly. That's why I asked. :) ...but which clients would actually do this, and under what conditions? Of the Windows clients and servers, only W2K and XP-pro know how to work with Kerberos (does /Me handled Kerberos auth?). I *imagine* that those systems use port 445 instead of 139 whenever they can. If both client and server know how to handle Kerberos then they likely also know how to use port 445. So, unless I'm totally insane, the likelihood of Kerberos auth being used over port 139 is low. Totally Insane -)----- -- Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/ -)----- [EMAIL PROTECTED]