Samba AD DC Port Usage: Difference between revisions
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page Samba AD DC port usage to Samba AD DC Port Usage: Change title to TitleCase format) |
Mmuehlfeld (talk | contribs) (Rewrote "Samba AD DC Port Usage") |
||
Line 1: | Line 1: | ||
= Identifying Listening Ports and Interfaces = |
|||
= Introduction = |
|||
To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run: |
|||
If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview. |
|||
= Identify which ports and interfaces Samba is listening on= |
|||
You can use "netstat" to identify which ports and IPs, Samba and related daemons are listening on: |
|||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
||
The following is a snippet of an example output: |
|||
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
||
tcp 0 0 10. |
tcp 0 0 10.99.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
||
tcp 0 0 10. |
tcp 0 0 10.99.0.1:88 0.0.0.0:* LISTEN 43273/samba |
||
tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba |
tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba |
||
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
||
tcp 0 0 10. |
tcp 0 0 10.99.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
||
... |
|||
The |
The output displays that the services are listening on localhost (127.0.0.1) and the network interface with the IP address 10.99.0.1. On both interfaces, the ports 139/tcp, 88/tcp, and 445/tcp are opened. For further information on the output, see the "netstat" (8) manual page. |
||
To bind Samba to specific interfaces, see [[Configure_Samba_to_Bind_to_Specific_Interfaces|Configure Samba to Bind to Specific Interfaces]]. |
|||
= Samba AD DC Port Usage = |
|||
= Port usage when Samba runs as an Active Directory Domain Controller = |
|||
{| |
{| class="wikitable" |
||
!Service |
!Service |
||
!Port |
!Port |
||
!Protocol |
|||
!protocol |
|||
|- |
|- |
||
|DNS* |
|DNS * |
||
|53 |
|53 |
||
|tcp/udp |
|tcp/udp |
||
Line 68: | Line 62: | ||
|tcp/udp |
|tcp/udp |
||
|- |
|- |
||
|LDAPS ** |
|||
|LDAPS ''(only if "tls enabled = yes")'' |
|||
|636 |
|636 |
||
|tcp |
|tcp |
||
|- |
|- |
||
|Dynamic RPC Ports** |
|Dynamic RPC Ports *** |
||
|1024-5000 |
|1024-5000 |
||
|tcp |
|tcp |
||
Line 80: | Line 74: | ||
|tcp |
|tcp |
||
|- |
|- |
||
|Global Cataloge SSL |
|Global Cataloge SSL ** |
||
|3269 |
|3269 |
||
|tcp |
|tcp |
||
|- |
|||
|Multicast DNS |
|||
|5353 |
|||
|tcp/udp |
|||
|} |
|} |
||
<nowiki>*</nowiki> On Samba AD DCs running the Samba internal DNS server. |
|||
<nowiki>*</nowiki> Samba listens on this port, only if the internal DNS is used. Otherwise BIND uses this port, if BIND_DLZ is your DNS backend. If you had chosen to provision this DC not as an DNS server, no service is listending on this port. You need at least one DNS server in your AD. |
|||
<nowiki>**</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024). |
|||
'''Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.''' |
|||
= Prevent Samba from listening on all interfaces = |
|||
Sometimes you don't want Samba to listen on all interfaces of your host. For example, if the host is directly connected to the internet, you definitely will not want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside. |
|||
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback: |
|||
<nowiki>**</nowiki> If "tls enabled = yes" (default) is set in your "smb.conf" file. |
|||
bind interfaces only = yes |
|||
interfaces = lo eth0 |
|||
<nowiki>***</nowiki> Dynamically opened for remote procedure call (RPC) services starting with 1024. If a port is already in use, the next higher is used. |
|||
The "interfaces" parameter allows various ways to restrict. See the manpage for more details. |
|||
Note that other Active Directory (AD) related services that are not provided by Samba, such as "ntpd", can open ports on a Domain Controller (DC) as well. |
|||
After the changes, restart Samba. |
Revision as of 00:12, 27 August 2016
Identifying Listening Ports and Interfaces
To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run:
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.99.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.99.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.99.0.1:445 0.0.0.0:* LISTEN 43270/smbd ...
The output displays that the services are listening on localhost (127.0.0.1) and the network interface with the IP address 10.99.0.1. On both interfaces, the ports 139/tcp, 88/tcp, and 445/tcp are opened. For further information on the output, see the "netstat" (8) manual page.
To bind Samba to specific interfaces, see Configure Samba to Bind to Specific Interfaces.
Samba AD DC Port Usage
Service | Port | Protocol |
---|---|---|
DNS * | 53 | tcp/udp |
Kerberos | 88 | tcp/udp |
End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
NetBIOS Name Service | 137 | udp |
NetBIOS Datagram | 138 | udp |
NetBIOS Session | 139 | tcp |
LDAP | 389 | tcp/udp |
SMB over TCP | 445 | tcp |
Kerberos kpasswd | 464 | tcp/udp |
LDAPS ** | 636 | tcp |
Dynamic RPC Ports *** | 1024-5000 | tcp |
Global Cataloge | 3268 | tcp |
Global Cataloge SSL ** | 3269 | tcp |
* On Samba AD DCs running the Samba internal DNS server.
** If "tls enabled = yes" (default) is set in your "smb.conf" file.
*** Dynamically opened for remote procedure call (RPC) services starting with 1024. If a port is already in use, the next higher is used.
Note that other Active Directory (AD) related services that are not provided by Samba, such as "ntpd", can open ports on a Domain Controller (DC) as well.