Re: [Samba] Samba4: The mit list insist that file server and DC must be one and the same

Sun, 19 Aug 2012 06:36:01 -0700 

steve wrote:



My only remaining question is that to open port 22 on the file server, 
I've had to open all the other ports otherwise I could not kinit or 
anything else. Could you/is there a list of ports which need to be 
open for a S3 fileserver which is also a nfs server to be able to 
communicate to the rest of the LAN without all ports being opened?



As we have Kerbeors at both ends maybe it would be better to ssh using 
that?

---

    1) Define "Better" (less work for which people?, faster operation? 
easier to manage?  But with my idea of better for my usage, whichever 
works both 'fast' and reliably,  is easiest to put in place,  and 
requires least overall maintenance in the long run, would be 
considerations -- though for prototyping,

whatever is easiest/fastest to put in place that does the job.

   So sounds like kinit (I'm not a Kerb-familiar person) is a kerb thing
so it probably uses a standard port.  Grepping through my '/etc/services

I see several ports for Kerboros usage -- perhaps kinit or a kerb manual 
documents what is needed?  Either that, or look at what ports are

'owned' by your krb servers -- use netstat as root with "-p" and for each

open port it will show you what prog is using it -- so you can come up 
with a

list for ports that the server(s) are listening on -- now whether or not all

of those are needed for your particular task is another matter 
(wireshark can

narrow things down if you really want that level of granularity).


   Pretty much similar advice for SMB/CIFS -- cept that the likely 
answer there

is port 445.  From your setup I'd think NETBIOS ports 137-139 wouldn't be

needed, but depends on which tools & options you are using (and network 
layout).



   If you wanted to be real security conscious -- you could forward 445 
over

ssh, Netbios uses datagrams which I don't think forward easily over
ssh, but if you wanted, you could even setup a VPN connection over SSH and

all the ports would be forwarded through SSH.   Depends on your security 
needs

and where you are most comfortable doing the work (as it can likely be done
in multiple ways) --- none of which can be defined as "BEST", except under
very specific circumstances...






  
--

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba














    











					Reply via email to