Samba AD DC Port Usage: Difference between revisions
Mmuehlfeld (talk | contribs) (Updated dynamic RCP port range for Samba 4.7 and later) |
Mmuehlfeld (talk | contribs) (Made more clear that some ports may be required by AD, but not opened by the samba binary.) |
||
Line 20: | Line 20: | ||
= Samba AD DC Port Usage = |
= Samba AD DC Port Usage = |
||
The <code>samba</code> service, which provides the AD DC features, requires that the following ports are openend on the DC: |
|||
{| class="wikitable" |
{| class="wikitable" |
||
Line 79: | Line 81: | ||
|} |
|} |
||
<nowiki>*</nowiki> On Samba AD DCs |
<nowiki>*</nowiki> On Samba AD DCs which use the Samba internal DNS server. |
||
<nowiki>**</nowiki> If <code>tls enabled = yes</code> (default) is set in your <code>smb.conf</code> file. |
<nowiki>**</nowiki> If <code>tls enabled = yes</code> (default) is set in your <code>smb.conf</code> file. |
||
Line 85: | Line 87: | ||
<nowiki>***</nowiki> The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the <code>rpc server port</code> parameter in your <code>smb.conf</code> file. For details, see the parameter description in the <code>smb.conf(5)</code> man page. |
<nowiki>***</nowiki> The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the <code>rpc server port</code> parameter in your <code>smb.conf</code> file. For details, see the parameter description in the <code>smb.conf(5)</code> man page. |
||
{{Imbox |
|||
Note that other Active Directory (AD) related services that are not provided by Samba, such as <code>ntpd</code>, can open ports on a Domain Controller (DC) as well. |
|||
| type = note |
|||
| text = Depending on your installation, other services than <code>samba</code> can open additional ports required for your AD environment. For example, port <code>123/udp</code> if you run the <code>ntpd</code> service. Additionally, the DNS service running on port 53 is provided by BIND, if you use the <code>BIND9_DLZ</code> back end. |
|||
}} |
|||
Revision as of 21:50, 13 February 2018
Identifying Listening Ports and Interfaces
To identify ports and network interfaces your Samba Active Directory (AD) Domain Controller (DC) is listening on, run:
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.99.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.99.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.99.0.1:445 0.0.0.0:* LISTEN 43270/smbd ...
The output displays that the services are listening on localhost
(127.0.0.1
) and the network interface with the IP address 10.99.0.1
. On both interfaces, the ports 139/tcp
, 88/tcp
, and 445/tcp
are opened. For further information on the output, see the netstat (8)
manual page.
To bind Samba to specific interfaces, see Configure Samba to Bind to Specific Interfaces.
Samba AD DC Port Usage
The samba
service, which provides the AD DC features, requires that the following ports are openend on the DC:
Service | Port | Protocol |
---|---|---|
DNS * | 53 | tcp/udp |
Kerberos | 88 | tcp/udp |
End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
NetBIOS Name Service | 137 | udp |
NetBIOS Datagram | 138 | udp |
NetBIOS Session | 139 | tcp |
LDAP | 389 | tcp/udp |
SMB over TCP | 445 | tcp |
Kerberos kpasswd | 464 | tcp/udp |
LDAPS ** | 636 | tcp |
Dynamic RPC Ports *** | 49152-65535 | tcp |
Global Catalog | 3268 | tcp |
Global Catalog SSL ** | 3269 | tcp |
* On Samba AD DCs which use the Samba internal DNS server.
** If tls enabled = yes
(default) is set in your smb.conf
file.
*** The range matches the port range used by Windows Server 2008 and later. Samba versions before 4.7 used the TCP ports 1024 to 1300 instead. To manually set the port range in Samba 4.7 and later, set the rpc server port
parameter in your smb.conf
file. For details, see the parameter description in the smb.conf(5)
man page.
Depending on your installation, other services than samba can open additional ports required for your AD environment. For example, port 123/udp if you run the ntpd service. Additionally, the DNS service running on port 53 is provided by BIND, if you use the BIND9_DLZ back end. |