Samba AD DC Port Usage: Difference between revisions
Mmuehlfeld (talk | contribs) (Add note about DNS port) |
m (/* update to show all ports used, including if Bind9 is in use.) |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Identifying Listening Ports and Interfaces = |
|||
= Introduction = |
|||
To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run: |
|||
If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview. |
|||
# netstat -plaunt | egrep "ntp|bind|named|samba|?mbd" |
|||
= Identify which ports and interfaces Samba is listening on= |
|||
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 16210/samba |
|||
tcp 0 0 10.99.0.1:53 0.0.0.0:* LISTEN 1544/named |
|||
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1544/named |
|||
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 16210/samba |
|||
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1544/named |
|||
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 9375/samba |
|||
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 16206/smbd |
|||
tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 790/samba |
|||
tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN 16203/samba |
|||
tcp 0 0 0.0.0.0:49154 0.0.0.0:* LISTEN 790/samba |
|||
tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 9375/samba |
|||
tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 9375/samba |
|||
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 16208/samba |
|||
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 790/samba |
|||
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 16206/smbd |
|||
tcp 0 0 10.99.0.1:49153 10.99.0.75:38714 ESTABLISHED 790/samba |
|||
tcp 0 0 10.99.0.1:445 10.99.0.75:40412 ESTABLISHED 721/smbd |
|||
tcp 0 0 10.99.0.1:46322 10.99.0.7:1024 ESTABLISHED 16211/samba |
|||
tcp 0 0 10.99.0.1:389 10.99.0.88:37116 ESTABLISHED 9375/samba |
|||
tcp 0 0 10.99.0.1:49152 10.99.0.7:41890 ESTABLISHED 790/samba |
|||
tcp 0 0 10.99.0.1:445 10.99.0.53:41449 ESTABLISHED 5991/smbd |
|||
tcp 0 0 10.99.0.1:49153 10.99.0.53:60008 ESTABLISHED 5993/samba |
|||
tcp 0 0 10.99.0.1:49152 10.99.0.75:39852 ESTABLISHED 5993/samba |
|||
tcp 0 0 10.99.0.1:49152 10.99.0.53:54023 ESTABLISHED 16203/samba |
|||
tcp6 0 0 :::464 :::* LISTEN 16210/samba |
|||
tcp6 0 0 :::88 :::* LISTEN 16210/samba |
|||
tcp6 0 0 ::1:953 :::* LISTEN 1544/named |
|||
tcp6 0 0 :::636 :::* LISTEN 9375/samba |
|||
tcp6 0 0 :::445 :::* LISTEN 16206/smbd |
|||
tcp6 0 0 :::49152 :::* LISTEN 790/samba |
|||
tcp6 0 0 :::49153 :::* LISTEN 790/samba |
|||
tcp6 0 0 :::49154 :::* LISTEN 790/samba |
|||
tcp6 0 0 :::3268 :::* LISTEN 9375/samba |
|||
tcp6 0 0 :::3269 :::* LISTEN 9375/samba |
|||
tcp6 0 0 :::389 :::* LISTEN 9375/samba |
|||
tcp6 0 0 :::135 :::* LISTEN 790/samba |
|||
tcp6 0 0 :::139 :::* LISTEN 16206/smbd |
|||
udp 0 0 10.99.0.1:389 0.0.0.0:* 16209/samba |
|||
udp 0 0 0.0.0.0:389 0.0.0.0:* 16209/samba |
|||
udp 0 0 10.99.0.1:464 0.0.0.0:* 16210/samba |
|||
udp 0 0 0.0.0.0:464 0.0.0.0:* 16210/samba |
|||
udp 0 0 10.99.0.1:53 0.0.0.0:* 1544/named |
|||
udp 0 0 127.0.0.1:53 0.0.0.0:* 1544/named |
|||
udp 0 0 10.99.0.1:88 0.0.0.0:* 16210/samba |
|||
udp 0 0 0.0.0.0:88 0.0.0.0:* 16210/samba |
|||
udp 0 0 10.99.0.1:123 0.0.0.0:* 1678/ntpd |
|||
udp 0 0 127.0.0.1:123 0.0.0.0:* 1678/ntpd |
|||
udp 0 0 10.99.0.1:137 0.0.0.0:* 16205/samba |
|||
udp 0 0 10.99.0.255:137 0.0.0.0:* 16205/samba |
|||
udp 0 0 0.0.0.0:137 0.0.0.0:* 16205/samba |
|||
udp 0 0 10.99.0.1:138 0.0.0.0:* 16205/samba |
|||
udp 0 0 10.99.0.255:138 0.0.0.0:* 16205/samba |
|||
udp 0 0 0.0.0.0:138 0.0.0.0:* 16205/samba |
|||
udp6 0 0 :::389 :::* 16209/samba |
|||
udp6 0 0 :::464 :::* 16210/samba |
|||
udp6 0 0 :::88 :::* 16210/samba |
|||
You can use "netstat" to identify which ports and IPs, Samba and related daemons are listening on: |
|||
The output displays that the services are listening on <code>localhost</code> (<code>127.0.0.1</code>) and the network interface with the IP address <code>10.99.0.1</code>. On both interfaces, the ports <code>139/tcp</code>, <code>88/tcp</code>, and <code>445/tcp</code> are opened. For further information on the output, see the <code>netstat (8)</code> manual page. |
|||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
|||
To bind Samba to specific interfaces, see [[Configure_Samba_to_Bind_to_Specific_Interfaces|Configure Samba to Bind to Specific Interfaces]]. |
|||
The following is a snippet of an example output: |
|||
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
|||
tcp 0 0 10.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
|||
tcp 0 0 10.0.0.1:88 0.0.0.0:* LISTEN 43273/samba |
|||
tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba |
|||
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
|||
tcp 0 0 10.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
|||
..... |
|||
The above example shows that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - on each of the listed ports (139, 88, 445,...). |
|||
= Samba AD DC Port Usage = |
|||
The <code>samba</code> service, which provides the AD DC features, requires that the following ports are opened on the DC: |
|||
{| class="wikitable" |
|||
= Port usage when Samba runs as an Active Directory Domain Controller = |
|||
{| border="1" |
|||
!Service |
!Service |
||
!Port |
!Port |
||
!Protocol |
|||
!protocol |
|||
|- |
|- |
||
|DNS* |
|DNS * |
||
|53 |
|53 |
||
|tcp/udp |
|tcp/udp |
||
Line 39: | Line 85: | ||
|88 |
|88 |
||
|tcp/udp |
|tcp/udp |
||
|- |
|||
|ntp ** |
|||
|123 |
|||
|udp |
|||
|- |
|- |
||
|End Point Mapper (DCE/RPC Locator Service) |
|End Point Mapper (DCE/RPC Locator Service) |
||
Line 68: | Line 118: | ||
|tcp/udp |
|tcp/udp |
||
|- |
|- |
||
|LDAPS *** |
|||
|LDAPS ''(only if "tls enabled = yes")'' |
|||
|636 |
|636 |
||
|tcp |
|tcp |
||
|- |
|- |
||
|Global Catalog |
|||
|Dynamic RPC Ports** |
|||
|1024-5000 |
|||
|tcp |
|||
|- |
|||
|Global Cataloge |
|||
|3268 |
|3268 |
||
|tcp |
|tcp |
||
|- |
|- |
||
|Global |
|Global Catalog SSL *** |
||
|3269 |
|3269 |
||
|tcp |
|tcp |
||
|- |
|- |
||
|Dynamic RPC Ports **** |
|||
|Multicast DNS |
|||
|49152-65535 |
|||
|5353 |
|||
|tcp |
|tcp |
||
|} |
|} |
||
<nowiki>*</nowiki> |
<nowiki>*</nowiki> This could be provided by the Samba internal DNS server, or the Bind9 DNS server. |
||
<nowiki>**</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024). |
|||
'''Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.''' |
|||
<nowiki>**</nowiki> If ntp is configured and running on the DC. |
|||
<nowiki>***</nowiki> If <code>tls enabled = yes</code> (default) is set in your <code>smb.conf</code> file. |
|||
<nowiki>****</nowiki> The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the <code>rpc server port</code> parameter in your <code>smb.conf</code> file. For details, see the parameter description in the <code>smb.conf(5)</code> man page. |
|||
{{Imbox |
|||
= Prevent Samba from listening on all interfaces = |
|||
| type = note |
|||
| text = Depending on your installation, services other than <code>samba</code> can open additional ports required for your AD environment. |
|||
}} |
|||
Sometimes you don't want Samba to listen on all interfaces of your host. For example, if the host is directly connected to the internet, you definitely will not want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside. |
|||
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback: |
|||
bind interfaces only = yes |
|||
interfaces = lo eth0 |
|||
The "interfaces" parameter allows various ways to restrict. See the manpage for more details. |
|||
---- |
|||
After the changes, restart Samba. |
|||
[[Category:Active Directory]] |
Latest revision as of 15:19, 31 May 2018
Identifying Listening Ports and Interfaces
To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run:
# netstat -plaunt | egrep "ntp|bind|named|samba|?mbd" tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 16210/samba tcp 0 0 10.99.0.1:53 0.0.0.0:* LISTEN 1544/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1544/named tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 16210/samba tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1544/named tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 9375/samba tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 16206/smbd tcp 0 0 0.0.0.0:49152 0.0.0.0:* LISTEN 790/samba tcp 0 0 0.0.0.0:49153 0.0.0.0:* LISTEN 16203/samba tcp 0 0 0.0.0.0:49154 0.0.0.0:* LISTEN 790/samba tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 9375/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 9375/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 16208/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 790/samba tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 16206/smbd tcp 0 0 10.99.0.1:49153 10.99.0.75:38714 ESTABLISHED 790/samba tcp 0 0 10.99.0.1:445 10.99.0.75:40412 ESTABLISHED 721/smbd tcp 0 0 10.99.0.1:46322 10.99.0.7:1024 ESTABLISHED 16211/samba tcp 0 0 10.99.0.1:389 10.99.0.88:37116 ESTABLISHED 9375/samba tcp 0 0 10.99.0.1:49152 10.99.0.7:41890 ESTABLISHED 790/samba tcp 0 0 10.99.0.1:445 10.99.0.53:41449 ESTABLISHED 5991/smbd tcp 0 0 10.99.0.1:49153 10.99.0.53:60008 ESTABLISHED 5993/samba tcp 0 0 10.99.0.1:49152 10.99.0.75:39852 ESTABLISHED 5993/samba tcp 0 0 10.99.0.1:49152 10.99.0.53:54023 ESTABLISHED 16203/samba tcp6 0 0 :::464 :::* LISTEN 16210/samba tcp6 0 0 :::88 :::* LISTEN 16210/samba tcp6 0 0 ::1:953 :::* LISTEN 1544/named tcp6 0 0 :::636 :::* LISTEN 9375/samba tcp6 0 0 :::445 :::* LISTEN 16206/smbd tcp6 0 0 :::49152 :::* LISTEN 790/samba tcp6 0 0 :::49153 :::* LISTEN 790/samba tcp6 0 0 :::49154 :::* LISTEN 790/samba tcp6 0 0 :::3268 :::* LISTEN 9375/samba tcp6 0 0 :::3269 :::* LISTEN 9375/samba tcp6 0 0 :::389 :::* LISTEN 9375/samba tcp6 0 0 :::135 :::* LISTEN 790/samba tcp6 0 0 :::139 :::* LISTEN 16206/smbd udp 0 0 10.99.0.1:389 0.0.0.0:* 16209/samba udp 0 0 0.0.0.0:389 0.0.0.0:* 16209/samba udp 0 0 10.99.0.1:464 0.0.0.0:* 16210/samba udp 0 0 0.0.0.0:464 0.0.0.0:* 16210/samba udp 0 0 10.99.0.1:53 0.0.0.0:* 1544/named udp 0 0 127.0.0.1:53 0.0.0.0:* 1544/named udp 0 0 10.99.0.1:88 0.0.0.0:* 16210/samba udp 0 0 0.0.0.0:88 0.0.0.0:* 16210/samba udp 0 0 10.99.0.1:123 0.0.0.0:* 1678/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1678/ntpd udp 0 0 10.99.0.1:137 0.0.0.0:* 16205/samba udp 0 0 10.99.0.255:137 0.0.0.0:* 16205/samba udp 0 0 0.0.0.0:137 0.0.0.0:* 16205/samba udp 0 0 10.99.0.1:138 0.0.0.0:* 16205/samba udp 0 0 10.99.0.255:138 0.0.0.0:* 16205/samba udp 0 0 0.0.0.0:138 0.0.0.0:* 16205/samba udp6 0 0 :::389 :::* 16209/samba udp6 0 0 :::464 :::* 16210/samba udp6 0 0 :::88 :::* 16210/samba
The output displays that the services are listening on localhost
(127.0.0.1
) and the network interface with the IP address 10.99.0.1
. On both interfaces, the ports 139/tcp
, 88/tcp
, and 445/tcp
are opened. For further information on the output, see the netstat (8)
manual page.
To bind Samba to specific interfaces, see Configure Samba to Bind to Specific Interfaces.
Samba AD DC Port Usage
The samba
service, which provides the AD DC features, requires that the following ports are opened on the DC:
Service | Port | Protocol |
---|---|---|
DNS * | 53 | tcp/udp |
Kerberos | 88 | tcp/udp |
ntp ** | 123 | udp |
End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
NetBIOS Name Service | 137 | udp |
NetBIOS Datagram | 138 | udp |
NetBIOS Session | 139 | tcp |
LDAP | 389 | tcp/udp |
SMB over TCP | 445 | tcp |
Kerberos kpasswd | 464 | tcp/udp |
LDAPS *** | 636 | tcp |
Global Catalog | 3268 | tcp |
Global Catalog SSL *** | 3269 | tcp |
Dynamic RPC Ports **** | 49152-65535 | tcp |
* This could be provided by the Samba internal DNS server, or the Bind9 DNS server.
** If ntp is configured and running on the DC.
*** If tls enabled = yes
(default) is set in your smb.conf
file.
**** The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the rpc server port
parameter in your smb.conf
file. For details, see the parameter description in the smb.conf(5)
man page.
Depending on your installation, services other than samba can open additional ports required for your AD environment. |