Samba AD DC Port Usage: Difference between revisions

From SambaWiki
m (/* Samba AD DC port usage, Altered for better English)
(Add note about DNS port)
Line 32: Line 32:
!protocol
!protocol
|-
|-
|DNS
|DNS*
|53
|53
|tcp/udp
|tcp/udp
Line 72: Line 72:
|tcp
|tcp
|-
|-
|Dynamic RPC Ports*
|Dynamic RPC Ports**
|1024-5000
|1024-5000
|tcp
|tcp
Line 89: Line 89:
|}
|}


<nowiki>*</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024).
<nowiki>*</nowiki> Samba listens on this port only, if the internal DNS is used. Otherwise BIND uses this port, if BIND_DLZ is your DNS backend. If you had chosen to provision this DC not as an DNS server, no service is listending on this port. You need at least one DNS server in your AD.

<nowiki>**</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024).


'''Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.'''
'''Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.'''

Revision as of 18:20, 29 August 2015

Introduction

If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview.

Identify which ports and interfaces Samba is listening on

You can use "netstat" to identify which ports and IPs, Samba and related daemons are listening on:

# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"

The following is a snippet of an example output:

tcp        0      0 127.0.0.1:139               0.0.0.0:*                   LISTEN      43270/smbd          
tcp        0      0 10.0.0.1:139                0.0.0.0:*                   LISTEN      43270/smbd          
tcp        0      0 10.0.0.1:88                 0.0.0.0:*                   LISTEN      43273/samba         
tcp        0      0 127.0.0.1:88                0.0.0.0:*                   LISTEN      43273/samba         
tcp        0      0 127.0.0.1:445               0.0.0.0:*                   LISTEN      43270/smbd          
tcp        0      0 10.0.0.1:445                0.0.0.0:*                   LISTEN      43270/smbd          
.....

The above example shows that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - on each of the listed ports (139, 88, 445,...).



Port usage when Samba runs as an Active Directory Domain Controller

Service Port protocol
DNS* 53 tcp/udp
Kerberos 88 tcp/udp
End Point Mapper (DCE/RPC Locator Service) 135 tcp
NetBIOS Name Service 137 udp
NetBIOS Datagram 138 udp
NetBIOS Session 139 tcp
LDAP 389 tcp/udp
SMB over TCP 445 tcp
Kerberos kpasswd 464 tcp/udp
LDAPS (only if "tls enabled = yes") 636 tcp
Dynamic RPC Ports** 1024-5000 tcp
Global Cataloge 3268 tcp
Global Cataloge SSL (only if "tls enabled = yes") 3269 tcp
Multicast DNS 5353 tcp/udp

* Samba listens on this port only, if the internal DNS is used. Otherwise BIND uses this port, if BIND_DLZ is your DNS backend. If you had chosen to provision this DC not as an DNS server, no service is listending on this port. You need at least one DNS server in your AD.

** Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024).

Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.



Prevent Samba from listening on all interfaces

Sometimes you don't want Samba to listen on all interfaces of your host. For example, if the host is directly connected to the internet, you definitely will not want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside.

Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback:

bind interfaces only = yes
interfaces = lo eth0

The "interfaces" parameter allows various ways to restrict. See the manpage for more details.

After the changes, restart Samba.