You can always sniff the network between the client and servers to see which ports traffic is going over.  Wireshark can do this or your firewall admin may be able to grab a trace.  It's ugly, but it will tell you every port used (even ephemeral ones).

=G=

On Wed, Mar 14, 2018 at 4:34 PM, Roger Mårtensson <roger.martensson@gmail.com> wrote:
Hi!

Den 2018-03-14 kl. 18:26, skrev Simo Sorce:
On Wed, 2018-03-14 at 18:01 +0100, Roger Mårtensson wrote:
Hello!

Got tasked to look at firewall rules and am now wondering if there is a
document anywhere that describes the ports and protocols used by SSSD?

My list currently consist of: 53 (udp/tcp), 88 (udp), 389 (tcp), 636
(tcp) and 3268 (tcp) and 3269 (tcp)

If I search on "Windows Client" and ports I get tons of ports and
port-ranges I may need to open. But what do SSSD use?
It really depends on what backend you are using.

Sorry about that. I'm using the AD backend with kerberos (GSSAPI) against an Active Directory. (2008R2 at the moment. Hope 2016+ have added more ports)

for AD you won't need 636(tcp) but you will need 389 (udp) for site
discovery and 445 (tcp) if you use GPOs

If you use a plain LDAP server then you won't need 3268/3269

For password changes if you use kerberos (including AD) you will need
464(tcp)
Everything is so much simpler when not using a firewall but then you have to deal with the drawbacks.
Wish there was an popular API that services like this could use to announce ports used or propose rules.

If you use one of the pam passwthrough modules you may need othere
things (like NIS ports etc... )

Simo.

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org