Difference between revisions of "Samba AD DC Port Usage"

(Port usage when Samba runs as an Active Directory Domain Controller)
m (/* update to show all ports used, including if Bind9 is in use.)
 
(8 intermediate revisions by one other user not shown)
Line 1: Line 1:
= Introduction =
+
= Identifying Listening Ports and Interfaces =
  
If you need to secure your Samba installation with a firewall, you will need to know what ports and protocols are used. This page supplies an overview.
+
To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run:
  
= Identify which ports and interfaces Samba is listening on=
+
# netstat -plaunt | egrep "ntp|bind|named|samba|?mbd"
 +
tcp        0      0 0.0.0.0:464            0.0.0.0:*              LISTEN      16210/samba
 +
tcp        0      0 10.99.0.1:53            0.0.0.0:*              LISTEN      1544/named
 +
tcp        0      0 127.0.0.1:53            0.0.0.0:*              LISTEN      1544/named
 +
tcp        0      0 0.0.0.0:88              0.0.0.0:*              LISTEN      16210/samba
 +
tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN      1544/named
 +
tcp        0      0 0.0.0.0:636            0.0.0.0:*              LISTEN      9375/samba
 +
tcp        0      0 0.0.0.0:445            0.0.0.0:*              LISTEN      16206/smbd
 +
tcp        0      0 0.0.0.0:49152          0.0.0.0:*              LISTEN      790/samba
 +
tcp        0      0 0.0.0.0:49153          0.0.0.0:*              LISTEN      16203/samba
 +
tcp        0      0 0.0.0.0:49154          0.0.0.0:*              LISTEN      790/samba
 +
tcp        0      0 0.0.0.0:3268            0.0.0.0:*              LISTEN      9375/samba
 +
tcp        0      0 0.0.0.0:3269            0.0.0.0:*              LISTEN      9375/samba
 +
tcp        0      0 0.0.0.0:389            0.0.0.0:*              LISTEN      16208/samba
 +
tcp        0      0 0.0.0.0:135            0.0.0.0:*              LISTEN      790/samba
 +
tcp        0      0 0.0.0.0:139            0.0.0.0:*              LISTEN      16206/smbd
 +
tcp        0      0 10.99.0.1:49153      10.99.0.75:38714      ESTABLISHED 790/samba
 +
tcp        0      0 10.99.0.1:445        10.99.0.75:40412      ESTABLISHED 721/smbd
 +
tcp        0      0 10.99.0.1:46322      10.99.0.7:1024        ESTABLISHED 16211/samba
 +
tcp        0      0 10.99.0.1:389        10.99.0.88:37116      ESTABLISHED 9375/samba
 +
tcp        0      0 10.99.0.1:49152      10.99.0.7:41890      ESTABLISHED 790/samba
 +
tcp        0      0 10.99.0.1:445        10.99.0.53:41449      ESTABLISHED 5991/smbd
 +
tcp        0      0 10.99.0.1:49153      10.99.0.53:60008      ESTABLISHED 5993/samba
 +
tcp        0      0 10.99.0.1:49152      10.99.0.75:39852      ESTABLISHED 5993/samba
 +
tcp        0      0 10.99.0.1:49152      10.99.0.53:54023      ESTABLISHED 16203/samba
 +
tcp6      0      0 :::464                  :::*                    LISTEN      16210/samba
 +
tcp6      0      0 :::88                  :::*                    LISTEN      16210/samba
 +
tcp6      0      0 ::1:953                :::*                    LISTEN      1544/named
 +
tcp6      0      0 :::636                  :::*                    LISTEN      9375/samba
 +
tcp6      0      0 :::445                  :::*                    LISTEN      16206/smbd
 +
tcp6      0      0 :::49152                :::*                    LISTEN      790/samba
 +
tcp6      0      0 :::49153                :::*                    LISTEN      790/samba
 +
tcp6      0      0 :::49154                :::*                    LISTEN      790/samba
 +
tcp6      0      0 :::3268                :::*                    LISTEN      9375/samba
 +
tcp6      0      0 :::3269                :::*                    LISTEN      9375/samba
 +
tcp6      0      0 :::389                  :::*                    LISTEN      9375/samba
 +
tcp6      0      0 :::135                  :::*                    LISTEN      790/samba
 +
tcp6      0      0 :::139                  :::*                    LISTEN      16206/smbd
 +
udp        0      0 10.99.0.1:389        0.0.0.0:*                          16209/samba
 +
udp        0      0 0.0.0.0:389            0.0.0.0:*                          16209/samba
 +
udp        0      0 10.99.0.1:464        0.0.0.0:*                          16210/samba
 +
udp        0      0 0.0.0.0:464            0.0.0.0:*                          16210/samba
 +
udp        0      0 10.99.0.1:53          0.0.0.0:*                          1544/named
 +
udp        0      0 127.0.0.1:53            0.0.0.0:*                          1544/named
 +
udp        0      0 10.99.0.1:88          0.0.0.0:*                          16210/samba
 +
udp        0      0 0.0.0.0:88              0.0.0.0:*                          16210/samba
 +
udp        0      0 10.99.0.1:123        0.0.0.0:*                          1678/ntpd
 +
udp        0      0 127.0.0.1:123          0.0.0.0:*                          1678/ntpd
 +
udp        0      0 10.99.0.1:137        0.0.0.0:*                          16205/samba
 +
udp        0      0 10.99.0.255:137      0.0.0.0:*                          16205/samba
 +
udp        0      0 0.0.0.0:137            0.0.0.0:*                          16205/samba
 +
udp        0      0 10.99.0.1:138        0.0.0.0:*                          16205/samba
 +
udp        0      0 10.99.0.255:138      0.0.0.0:*                          16205/samba
 +
udp        0      0 0.0.0.0:138            0.0.0.0:*                          16205/samba
 +
udp6      0      0 :::389                  :::*                                16209/samba
 +
udp6      0      0 :::464                  :::*                                16210/samba
 +
udp6      0      0 :::88                  :::*                                16210/samba
  
You can use "netstat" to identify which ports and IPs, Samba and related daemons are listening on:
 
  
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
+
The output displays that the services are listening on <code>localhost</code> (<code>127.0.0.1</code>) and the network interface with the IP address <code>10.99.0.1</code>. On both interfaces, the ports <code>139/tcp</code>, <code>88/tcp</code>, and <code>445/tcp</code> are opened. For further information on the output, see the <code>netstat (8)</code> manual page.
  
The following is a snippet of an example output:
+
To bind Samba to specific interfaces, see [[Configure_Samba_to_Bind_to_Specific_Interfaces|Configure Samba to Bind to Specific Interfaces]].
  
tcp        0      0 127.0.0.1:139              0.0.0.0:*                  LISTEN      43270/smbd         
 
tcp        0      0 10.0.0.1:139                0.0.0.0:*                  LISTEN      43270/smbd         
 
tcp        0      0 10.0.0.1:88                0.0.0.0:*                  LISTEN      43273/samba       
 
tcp        0      0 127.0.0.1:88                0.0.0.0:*                  LISTEN      43273/samba       
 
tcp        0      0 127.0.0.1:445              0.0.0.0:*                  LISTEN      43270/smbd         
 
tcp        0      0 10.0.0.1:445                0.0.0.0:*                  LISTEN      43270/smbd         
 
.....
 
  
The above example shows that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - on each of the listed ports (139, 88, 445,...).
 
  
  
 +
= Samba AD DC Port Usage =
  
 +
The <code>samba</code> service, which provides the AD DC features, requires that the following ports are opened on the DC:
  
 
+
{| class="wikitable"
= Port usage when Samba runs as an Active Directory Domain Controller =
 
 
 
{| border="1"
 
 
!Service
 
!Service
 
!Port
 
!Port
!protocol
+
!Protocol
 
|-
 
|-
|DNS*
+
|DNS *
 
|53
 
|53
 
|tcp/udp
 
|tcp/udp
Line 39: Line 85:
 
|88
 
|88
 
|tcp/udp
 
|tcp/udp
 +
|-
 +
|ntp **
 +
|123
 +
|udp
 
|-
 
|-
 
|End Point Mapper (DCE/RPC Locator Service)
 
|End Point Mapper (DCE/RPC Locator Service)
Line 68: Line 118:
 
|tcp/udp
 
|tcp/udp
 
|-
 
|-
|LDAPS ''(only if "tls enabled = yes")''
+
|LDAPS ***
 
|636
 
|636
 
|tcp
 
|tcp
 
|-
 
|-
|Dynamic RPC Ports**
+
|Global Catalog
|1024-5000
 
|tcp
 
|-
 
|Global Cataloge
 
 
|3268
 
|3268
 
|tcp
 
|tcp
 
|-
 
|-
|Global Cataloge SSL ''(only if "tls enabled = yes")''
+
|Global Catalog SSL ***
 
|3269
 
|3269
 
|tcp
 
|tcp
 
|-
 
|-
|Multicast DNS
+
|Dynamic RPC Ports ****
|5353
+
|49152-65535
|tcp/udp
+
|tcp
 
|}
 
|}
  
<nowiki>*</nowiki> Samba listens on this port, only if the internal DNS is used. Otherwise BIND uses this port, if BIND_DLZ is your DNS backend. If you had chosen to provision this DC not as an DNS server, no service is listending on this port. You need at least one DNS server in your AD.
+
<nowiki>*</nowiki> This could be provided by the Samba internal DNS server, or the Bind9 DNS server.
 +
 
 +
<nowiki>**</nowiki> If ntp is configured and running on the DC.
  
<nowiki>**</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024).
+
<nowiki>***</nowiki> If <code>tls enabled = yes</code> (default) is set in your <code>smb.conf</code> file.
  
'''Remember, there can be other ports as well , these are related to your Samba installation but are not provided by Samba itself, e.g. an NTP server run for time synchronisation as well.'''
+
<nowiki>****</nowiki> The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the <code>rpc server port</code> parameter in your <code>smb.conf</code> file. For details, see the parameter description in the <code>smb.conf(5)</code> man page.
  
= Prevent Samba from listening on all interfaces =
+
{{Imbox
 +
| type = note
 +
| text = Depending on your installation, services other than <code>samba</code> can open additional ports required for your AD environment.
 +
}}
  
Sometimes you don't want Samba to listen on all interfaces of your host. For example, if the host is directly connected to the internet, you definitely will not want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside.
 
  
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback:
 
  
bind interfaces only = yes
 
interfaces = lo eth0
 
  
The "interfaces" parameter allows various ways to restrict. See the manpage for more details.
 
  
After the changes, restart Samba.
+
----
 +
[[Category:Active Directory]]

Latest revision as of 15:19, 31 May 2018

Identifying Listening Ports and Interfaces

To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run:

# netstat -plaunt | egrep "ntp|bind|named|samba|?mbd"
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      16210/samba
tcp        0      0 10.99.0.1:53            0.0.0.0:*               LISTEN      1544/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1544/named
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      16210/samba
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1544/named
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      9375/samba
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      16206/smbd 
tcp        0      0 0.0.0.0:49152           0.0.0.0:*               LISTEN      790/samba
tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN      16203/samba
tcp        0      0 0.0.0.0:49154           0.0.0.0:*               LISTEN      790/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      9375/samba
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      9375/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      16208/samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      790/samba
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      16206/smbd
tcp        0      0 10.99.0.1:49153       10.99.0.75:38714      ESTABLISHED 790/samba
tcp        0      0 10.99.0.1:445         10.99.0.75:40412      ESTABLISHED 721/smbd
tcp        0      0 10.99.0.1:46322       10.99.0.7:1024        ESTABLISHED 16211/samba
tcp        0      0 10.99.0.1:389         10.99.0.88:37116      ESTABLISHED 9375/samba
tcp        0      0 10.99.0.1:49152       10.99.0.7:41890       ESTABLISHED 790/samba
tcp        0      0 10.99.0.1:445         10.99.0.53:41449      ESTABLISHED 5991/smbd
tcp        0      0 10.99.0.1:49153       10.99.0.53:60008      ESTABLISHED 5993/samba
tcp        0      0 10.99.0.1:49152       10.99.0.75:39852      ESTABLISHED 5993/samba
tcp        0      0 10.99.0.1:49152       10.99.0.53:54023      ESTABLISHED 16203/samba
tcp6       0      0 :::464                  :::*                    LISTEN      16210/samba
tcp6       0      0 :::88                   :::*                    LISTEN      16210/samba
tcp6       0      0 ::1:953                 :::*                    LISTEN      1544/named
tcp6       0      0 :::636                  :::*                    LISTEN      9375/samba
tcp6       0      0 :::445                  :::*                    LISTEN      16206/smbd
tcp6       0      0 :::49152                :::*                    LISTEN      790/samba
tcp6       0      0 :::49153                :::*                    LISTEN      790/samba
tcp6       0      0 :::49154                :::*                    LISTEN      790/samba
tcp6       0      0 :::3268                 :::*                    LISTEN      9375/samba
tcp6       0      0 :::3269                 :::*                    LISTEN      9375/samba
tcp6       0      0 :::389                  :::*                    LISTEN      9375/samba
tcp6       0      0 :::135                  :::*                    LISTEN      790/samba
tcp6       0      0 :::139                  :::*                    LISTEN      16206/smbd
udp        0      0 10.99.0.1:389         0.0.0.0:*                           16209/samba
udp        0      0 0.0.0.0:389             0.0.0.0:*                           16209/samba
udp        0      0 10.99.0.1:464         0.0.0.0:*                           16210/samba
udp        0      0 0.0.0.0:464             0.0.0.0:*                           16210/samba
udp        0      0 10.99.0.1:53          0.0.0.0:*                           1544/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1544/named
udp        0      0 10.99.0.1:88          0.0.0.0:*                           16210/samba
udp        0      0 0.0.0.0:88              0.0.0.0:*                           16210/samba
udp        0      0 10.99.0.1:123         0.0.0.0:*                           1678/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           1678/ntpd
udp        0      0 10.99.0.1:137         0.0.0.0:*                           16205/samba
udp        0      0 10.99.0.255:137       0.0.0.0:*                           16205/samba
udp        0      0 0.0.0.0:137             0.0.0.0:*                           16205/samba
udp        0      0 10.99.0.1:138         0.0.0.0:*                           16205/samba
udp        0      0 10.99.0.255:138       0.0.0.0:*                           16205/samba
udp        0      0 0.0.0.0:138             0.0.0.0:*                           16205/samba
udp6       0      0 :::389                  :::*                                16209/samba
udp6       0      0 :::464                  :::*                                16210/samba
udp6       0      0 :::88                   :::*                                16210/samba


The output displays that the services are listening on localhost (127.0.0.1) and the network interface with the IP address 10.99.0.1. On both interfaces, the ports 139/tcp, 88/tcp, and 445/tcp are opened. For further information on the output, see the netstat (8) manual page.

To bind Samba to specific interfaces, see Configure Samba to Bind to Specific Interfaces.



Samba AD DC Port Usage

The samba service, which provides the AD DC features, requires that the following ports are opened on the DC:

Service Port Protocol
DNS * 53 tcp/udp
Kerberos 88 tcp/udp
ntp ** 123 udp
End Point Mapper (DCE/RPC Locator Service) 135 tcp
NetBIOS Name Service 137 udp
NetBIOS Datagram 138 udp
NetBIOS Session 139 tcp
LDAP 389 tcp/udp
SMB over TCP 445 tcp
Kerberos kpasswd 464 tcp/udp
LDAPS *** 636 tcp
Global Catalog 3268 tcp
Global Catalog SSL *** 3269 tcp
Dynamic RPC Ports **** 49152-65535 tcp

* This could be provided by the Samba internal DNS server, or the Bind9 DNS server.

** If ntp is configured and running on the DC.

*** If tls enabled = yes (default) is set in your smb.conf file.

**** The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the rpc server port parameter in your smb.conf file. For details, see the parameter description in the smb.conf(5) man page.