Re: [Freeipa-users] Server Ports
On 3.4.2014 07:55, Justin Brown wrote: I'm having some trouble determining which ports my servers need open to communicate and what ports client servers and users will need. The last documentation that I was able to find was included in Fedora 15 (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html). http://www.freeipa.org/page/Documentation is the ultimate source of documentation. Latest documentation build is on http://www.freeipa.org/docs/master/html-desktop/index.html I opened those ports with firewalld, but I encountered errors when joining my replica server. (I retried the replica install with firewalld, and it succeeded, so it's clearly a problem with the firewall settings.) I'm joining the wave of the future, so please excuse the firewalld XML, but it should be pretty obvsious. All of the services are built into firewalld, except dogtag, which I made myself and is defined at the end. ipa-replica-conncheck utility should tell you what is missing. On a side note, it would be nice if the firewalld packagers included a freeipa-server service (nudge nudge). Patches are welcome :-) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server Ports
Petr, I'll try another replica for testing tomorrow, and unfortunately the logs were purged when I reinstalled. The error message was not helpful and said something along the lines of CA installation failed, but did not list any reason. I'll get you the exact message tomorrow. I'll also try some more network tests as I have all of the ports that you listed plus some additional Dogtag ports, which I've come to understand are now proxied through 7389. Patches are welcome :-) Yes, you've got me. ;) I'll review the Firewalld packaging in more detail and try to come up with a workable solution. It's not currently possible to do meta-services in firewalld, and I'm sure the FreeIPA developers don't want a hard dependency on firewalld via a hypothetical freeipa-server-firewalld dependency. I'm sure some solution is possible -- maybe even just in the documentation. Thanks, Justin On Thu, Apr 3, 2014 at 2:25 AM, Petr Spacek pspa...@redhat.com wrote: On 3.4.2014 07:55, Justin Brown wrote: I'm having some trouble determining which ports my servers need open to communicate and what ports client servers and users will need. The last documentation that I was able to find was included in Fedora 15 (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html). http://www.freeipa.org/page/Documentation is the ultimate source of documentation. Latest documentation build is on http://www.freeipa.org/docs/master/html-desktop/index.html I opened those ports with firewalld, but I encountered errors when joining my replica server. (I retried the replica install with firewalld, and it succeeded, so it's clearly a problem with the firewall settings.) I'm joining the wave of the future, so please excuse the firewalld XML, but it should be pretty obvsious. All of the services are built into firewalld, except dogtag, which I made myself and is defined at the end. ipa-replica-conncheck utility should tell you what is missing. On a side note, it would be nice if the firewalld packagers included a freeipa-server service (nudge nudge). Patches are welcome :-) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server Ports
On 04/03/2014 09:46 AM, Justin Brown wrote: Petr, I'll try another replica for testing tomorrow, and unfortunately the logs were purged when I reinstalled. The error message was not helpful and said something along the lines of CA installation failed, but did not list any reason. I'll get you the exact message tomorrow. I'll also try some more network tests as I have all of the ports that you listed plus some additional Dogtag ports, which I've come to understand are now proxied through 7389. Patches are welcome :-) Yes, you've got me. ;) I'll review the Firewalld packaging in more detail and try to come up with a workable solution. It's not currently possible to do meta-services in firewalld, and I'm sure the FreeIPA developers don't want a hard dependency on firewalld via a hypothetical freeipa-server-firewalld dependency. I'm sure some solution is possible -- maybe even just in the documentation. Thanks, Justin Hi Justin, Petr is right, patches and contributions are extremely welcome :-) Let me just pass the initial information in case you'd want to accept this challenge: How to contribute: http://www.freeipa.org/page/Contribute/Code Trac ticket with related information and links to Bugzillas: https://fedorahosted.org/freeipa/ticket/2110 Actually I do not think that freeipa-server-firewalld or similar is that bad idea. We already thought of shipping our own firewalld file(s) and such subpackage may be a way to go. This is something that can be discussed on freeipa-devel list. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Server Ports
I'm having some trouble determining which ports my servers need open to communicate and what ports client servers and users will need. The last documentation that I was able to find was included in Fedora 15 (http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html). I opened those ports with firewalld, but I encountered errors when joining my replica server. (I retried the replica install with firewalld, and it succeeded, so it's clearly a problem with the firewall settings.) I'm joining the wave of the future, so please excuse the firewalld XML, but it should be pretty obvsious. All of the services are built into firewalld, except dogtag, which I made myself and is defined at the end. rule family=ipv4 source address=192.168.0.0/16/ service name=http/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=https/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=dogtag/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=dns/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=kerberos/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=kpasswd/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=ldap/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=ldaps/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=ntp/ accept/ /rule rule family=ipv4 source address=192.168.0.0/16/ service name=ssh/ accept/ /rule Services dns, kerberos, and kpasswd are TCP+UDP. Service ntp is UDP only. The others are TCP only. = services/dogtag.xml: ?xml version=1.0 encoding=utf-8? service port protocol=tcp port=9180/ port protocol=tcp port=9443/ port protocol=tcp port=9444/ port protocol=tcp port=9445/ port protocol=tcp port=9446/ port protocol=tcp port=9701/ port protocol=tcp port=7389/ /service = On a side note, it would be nice if the firewalld packagers included a freeipa-server service (nudge nudge). Thanks, Justin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users