[Samba] Adding RFC2307 attributes to an existing Win2003 AD domain?
Running Samba 4.0.9, we have added a pair of Samba4 domain controllers to an existing Win2003 domain. How do we determine whether RFC2037 attributes already exist in the domain? And how would we go about adding them to an already existing domain? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] vfs_recycle folder limit management
On 9/26/2013 10:24 AM, Kevin Field wrote: Thanks John, but I meant more so is there a way to have it look at the total size of the recycle dir too? I.e. only delete stale files when it needs to to stay within a limit, and also even delete not-so-stale files if it needs to because there have been too many GB deleted lately to keep 30 days worth (or whatever) around? The easiest way would be to do a for loop in bash that starts at say 90 days, does the "find/remove" command at the 90+ day mark, then checks the output of "du -cks /path/to/recycle/bin". Once you get below the target kilobytes, you break out of the loop. Otherwise you lower your target mtime value (by 1 or by 7), delete some more files, and check again. So nothing in the recycle bin would be older then 90 days, and it would always stay below your target size. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: where are ACLs stored?
On 9/26/2013 10:12 AM, Klaus Hartnegg wrote: Hi, most file access rights sync between ACLs of linux and the security tab of windows file properties, but not all. Where are the other infos stored? I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither output changed when using windows to add individual right for a user that already has rights inherited from the parent directory. Windows remembers every detail of these changes, even after a reboot, so it must be stored somewhere. I'm concerned that backups might be incomplete when part of the access rights are hidden somewhere else. Will 'cp -a' really copy everything? Under ext4, we mount with "rw,noatime,user_xattr,acl". http://docs.fedoraproject.org/en-US/Fedora/14/html/Storage_Administration_Guide/ext4mount.html https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System According to the ext4 documentation page, barrier=barrier (a.k.a. barrier=1) is the default, but it doesn't hurt to specify it in your /etc/fstab file for the file system where your TDB files are stored. Use "cat /proc/mounts" to see current file system mount options. You can check kernel defaults for xattr and ACL support by finding your config.gz or config file. Under CentOS, this is stored in /boot # grep CONFIG_EXT4_FS /boot/config-2.6.32-358.18.1.el6.x86_64 or # zgrep CONFIG_EXT4_FS /proc/config.gz Command to check ACLs: # getfacl Command to check xattrs: # getfattr ... All that to say my guess is that the ACLs get stored in "acl" ext4 mount option. I know that rdiff-backup stores: "preserves subdirectories, hard links, dev files, permissions, uid/gid ownership, modification times, extended attributes, acls, and resource forks". So you would need to check that your backup software supports both "extended attributes" and "ACLs". -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
On 9/23/2013 12:17 PM, Axel wrote: Hi folks, big problem with my testint environment... my windows 2003-domain exists since 2004 and the credentials are correct, guaranteed. This problem is actually same on Ubuntu 12.04.3 and Debian 7... (I just added Samba4 to an existing Windows 2003 Active Directory domain this morning. So I'm in a similar situation, but my setup worked flawlessly.) Were you able to do: # kinit administrator - Try it with a wrong password, see if it gives the correct error message of "kinit: Preauthentication failed while getting initial credentials" - Successful kinit outputs nothing If that test doesn't work, then I'd suspect issues in your /etc/krb5.conf file. https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.9 Build Error
On 9/25/2013 4:00 AM, Thomas Zeitinger wrote:
Hi there,
I tried to build samba 4.0.9 on a Debian Wheezy 7.1 x86 fresh install
and got this error:
[2717/3935] Compiling source3/smbd/scavenger.c
../source3/smbd/scavenger.c: In function ‘scavenger_timer’:
../source3/smbd/scavenger.c:482:3: error: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
[-Werror=format]
../source3/smbd/scavenger.c:490:3: error: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
[-Werror=format]
cc1: some warnings being treated as errors
Waf: Leaving directory `/root/samba-4.0.9/bin'
Build failed: -> task failed (err #1):
{task: cc scavenger.c -> scavenger_92.o}
make: *** [all] Fehler 1
Never got this befor. Is there something I can do? I need a samba4 on
this machine.
Maybe try the sernet samba4 packages? They have a DEB for wheezy.
http://enterprisesamba.com/
You have to register, but the package downloads are free and they
support apt-get. I use the sernet packages for CentOS6 with no issues.
(I built samba 4.0.6 on CentOS 6 earlier this year, now we just use the
sernet packages. It's easier.)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DNS - setting up forwarding zones (or how to configure clients)?
On 9/25/2013 7:52 AM, Thomas Harold wrote: #2 - Can Samba4 DNS be setup to forward all queries that are not for "addomain.example.com" to the firewall BIND DNS server? Or should we continue to point our DHCP clients at the firewall as their primary DNS server? http://www.sloop.net/smb.conf.html It looks like I just add the following to the [global] section of /etc/samba/smb.conf? dns forwarder = .1 (Where .1 would be the IP address of the firewall server running BIND DNS.) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 DNS - setting up forwarding zones (or how to configure clients)?
Let's assume that we have a network with:
domain = "addomain.example.com"
.1 - firewall server that runs BIND9, is not in the domain, but can
resolve all DNS queries. It is setup to forward any queries for the
"addomain.example.com" to the internal Samba4 server.
.8 - Samba4 server (sernet packages on CentOS 6) running with integrated
DNS in Active Directory mode.
Questions:
#1 - Where would you put the DHCPD service to hand out DHCP addresses
(currently, our Windows 2003 domain controller handles this and
registers the host names of clients in the "addomain.example.com"
automatically). I would like to put the DHCPD service on the .1
firewall and have it send updates to the Samba4 server on .8.
#1a - Should we instead move to a setup where we create a second
internal domain ("dhcp.example.com") for our DHCP clients?
#2 - Can Samba4 DNS be setup to forward all queries that are not for
"addomain.example.com" to the firewall BIND DNS server? Or should we
continue to point our DHCP clients at the firewall as their primary DNS
server?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sernet Samba-4 Howto for Centos 6.4
On 7/2/2013 7:23 AM, schmero...@gmail.com wrote: I have registered at https://portal.enterprisesamba.com, but am unclear regarding which packages to install for a fully functioning samba4 installation, or if there are prerequisites such as krb5. I am starting with a minimal install of Centos 6.4. I can make some reasonably educated guesses, but don't want to miss something important. Anyone know if there is a step by step howto for installing samba4 on Centos using the Sernet repository? For an Active Directory setup with sernet-samba 4.0.9 on CentOS, I believe the only package that needs to be installed is: # yum install sernet-samba-ad Prerequisites seem to be: /etc/resolv.conf - make sure that this points at your existing Active Directory server (if you have one) /etc/krb5.conf - configure this if you have an existing AD controller and test using 'kinit administrator' [libdefaults] default_realm = ADDOMAIN.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true /etc/sysconfig/selinux - set to "permissive" while you configure the server - "service auditd rotate" to rotate the log files prior to install/setup - "cat /var/log/audit/audit.log | audit2allow" to check for exceptions - fix SELinux issues, then go back to "enforcing" mode After that you can follow the instructions at either: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC The only service that runs at startup is (AFAIK) "sernet-samba-ad". I am moderately sure that the other (3) services (sernet-samba-nmbd, sernet-samba-smbd, sernet-samba-winbindd) do not need to run if you are doing an Active Directory domain. But I'm not certain yet because I'm in the process of testing this in our environment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Can't create shares outside sysvol and netlogon
On 9/17/2013 6:45 AM, "Th. Söldenwagner" wrote: Hi, I am trying to create shares for my users in our new Samba4 domain, but with no luck so far. Which flavor of Linux are you trying this on? If CentOS/RHEL, one thing I always forget to check is SELinux issues. Maybe you have as well? # getenforce - Will tell you whether SELinux is disabled, permissive or enforcing. # setenforce permissive - Setting it /temporarily/ to "permissive" is a useful check to see whether you have a SELinux issue somewhere that need addressed. Assuming that you have "auditd" running, try looking at: # cat /var/log/audit/audit.log | audit2allow Which may show you an overall view of how many exceptions you have. In general, SELinux issues boil down to a few root causes and fixes: #1 - There's a boolean that you need to maybe turn on. If you dig through the "sealert -a UUID" messages in the system log, it does a good job of explaining when this might apply. #2 - There's a file system labeling problem. i.e. you are trying to let a process access things in a non-standard place and/or with a non-standard label. These are fixed with "restorecon" and "semanage fcontext" changes. #3 - There's no way to fix labels or booleans to allow what you need, so you need to create a local exception policy. This can be done using "audit2allow" and "semodule -i". You should be careful about which exceptions you feed to audit2allow and try to keep the resulting exception policy as minimal as possible. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is the internal Samba4 DNS server capable of DNSSEC?
Is the internal Samba4 DNS server capable of DNSSEC? Or do we need to hook Samba4 up to BIND 9.8 or BIND 9.9? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD with bind DNS / TKEY is unacceptable
On 9/12/2013 2:00 AM, Stefan Schäfer wrote: Sorry my English isn't as good as it should be. ;-) Am 12.09.2013 00:01, schrieb Patrick Gray: Is your existing server SBS by any chance? What's the meaning of this sentence? SBS = Small Business Server - Which was always a cut-down version of the full-blown Windows Server with lots of restrictions. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
On 8/15/2013 10:36 AM, Kevin Field wrote: Hi everyone, I had posted recently about getting Samba4 to work on CentOS 6.4 but having changes only replicating in one direction, from the Win2k3 AD but not back to it. I solved the problem, this time, by disabling iptables. I find it a bit hard to understand. These are the rules I have set up: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:5888] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT -A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT -A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT -A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment "Kerberos" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment "Kerberos Password Management" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment "SMB CIFS" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment "LDAP TCP" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment "LDAP SSL" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment "LDAP Global Catalog" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment "LDAP Global Catalog SSL" -j ACCEPT -A INPUT -p udp -m udp --dport 631 -m comment --comment "CUPS" -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -m comment --comment "CUPS" -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT https://wiki.samba.org/index.php/Configure_your_firewall Are you missing UDP port 137-138 (and possibly a few others) in your IPTables? Also, try looking at the output of the following to check for ports in use: # netstat -taunp | egrep "tcp.*LISTEN|udp" | egrep "samba|smbd" One of our internal Samba servers has the following in /etc/sysconfig/iptables. You won't need the NFSCHECK chains unless you are also using NFS. # Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:6932] :NFSCHECK - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3269 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT -A INPUT -j NFSCHECK -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -j RETURN COMMIT # Completed on Fri May 24 21:51:36 2013 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 anonymous read-only access to a server share
I suspect, based on the conversation about this back in May 2013 in the
thread titled "\"map to guest = bad user\" ignored in Samba 4?", that
this is still an issue?
What I'm trying to do is setup a samba4 file server with the following
options in the [global] area of smb.conf:
[global]
...
server role = active directory domain controller
map to guest = bad user
guest account = samba_guest
[software]
path = /mnt/smb/software
read only = no
hide files = /lost+found/
guest ok = yes
However, it is still prompting me for authentication when I try and
access the server from a non-domain machine. The expected behavior
would be that it maps me to the guest account ("map to guest = bad
user") and then lets me browse the [software] share as a guest user.
We're running 4.0.6. Looking at the release notes for 4.0.7 I don't see
anything with "guest" in the notes.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Setting password expiration policy
On 5/13/2013 11:23 AM, Gerry Reno wrote: Can I use samba-tool to globally set passwords to never expire like this: /usr/local/samba/bin/samba-tool domain passwordsettings set --max-pwd-age=0 Or do I have to set max age to some positive value and set expiration in ADUC when creating each user as "Password never expires"? My assumption would be that since the allowed range is only 0-999 for that argument that a value of zero would be "don't expire". But I'm also curious as the Samba4 wiki doesn't have much to say on the subject. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - Win7 RSAT tools - global catalog (GC) cannot be contacted
Thanks, Marc Whether something else is missing, you can see, if you check on which ports the Samba daemons are listening: # netstat -taunp | egrep "tcp.*LISTEN|udp" | grep "samba|smbd" # netstat -taunp | egrep "tcp.*LISTEN|udp" | egrep "samba|smbd" tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3554/smbd tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 3559/samba tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3565/samba tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 3559/samba tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 3557/samba tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3554/smbd tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 3553/samba tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 3557/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 3557/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3557/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 3553/samba tcp 0 0 :::139 :::* LISTEN 3554/smbd tcp 0 0 :::445 :::* LISTEN 3554/smbd udp 0 0 172.30.0.30:389 0.0.0.0:*3558/samba udp 0 0 0.0.0.0:389 0.0.0.0:*3558/samba udp 0 0 172.30.0.30:137 0.0.0.0:*3555/samba udp 0 0 172.30.7.255:137 0.0.0.0:*3555/samba udp 0 0 0.0.0.0:137 0.0.0.0:*3555/samba udp 0 0 172.30.0.30:138 0.0.0.0:*3555/samba udp 0 0 172.30.7.255:138 0.0.0.0:*3555/samba udp 0 0 0.0.0.0:138 0.0.0.0:*3555/samba udp 0 0 0.0.0.0:53 0.0.0.0:*3565/samba udp 0 0 172.30.0.30:464 0.0.0.0:*3559/samba udp 0 0 0.0.0.0:464 0.0.0.0:*3559/samba udp 0 0 172.30.0.30:88 0.0.0.0:*3559/samba udp 0 0 0.0.0.0:88 0.0.0.0:*3559/samba Looks like I also need to open up 3269/tcp in addition to 3268/tcp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 - Win7 RSAT tools - global catalog (GC) cannot be contacted
Fresh install of 4.0.6 from source on CentOS 6 minimal. Provisioning worked fine as did adding a Win7 Pro machine to the domain. Now trying to use the RSAT (Remote System Administration Tools), specifically the Active Directory Users and Computers tool. When looking at the properties for the "Administrator" account, clicking on the "Member Of" tab results in a 30 second wait, then the error message of "global catalog (GC) cannot be contacted". Once I click through the error message, it displays the groups that the account is a member of. Config file is: # Global parameters [global] workgroup = EXAMPLE realm = HQ.EXAMPLE.COM netbios name = ATHENS server role = active directory domain controller dns forwarder = 172.30.0.1 [netlogon] path = /usr/local/samba/var/locks/sysvol/hq.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No My guess is that this is an iptables error, although I followed the instructions on the wiki to open up the appropriate ports. Not sure what port/protocol I missed. https://wiki.samba.org/index.php/Configure_your_firewall /etc/sysconfig/iptables: # Generated by iptables-save v1.4.7 on Fri May 24 21:51:36 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:6932] :NFSCHECK - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 636 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT -A INPUT -j NFSCHECK -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A NFSCHECK -s 172.30.0.0/24 -p tcp -m multiport --dports 2049,32803,892,662,111 -m comment --comment "TCP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -s 172.30.0.0/24 -p udp -m multiport --dports 2049,32769,892,662,111 -m comment --comment "UDP for nfs, lockd, mountd, statd, portmap" -j ACCEPT -A NFSCHECK -j RETURN COMMIT # Completed on Fri May 24 21:51:36 2013 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
