firewalld how to open ports corretly?

Hello!
How are you?

I need open ports in firewalld. I did try many times. First try at public zone and after trusted by terminal --permanet commad by yast2 and not works. Opensuse is with network manager on the oracle VM, bridge mode, network permit all. I did read official doc. When let firewall off, the ports have access ok (of course), only to say that service is running right but, I do not want let firewall in mode off. I am confused how to configure it.
The ports that I need open are samba-ad-dcPlease, somebody can help me?

Thank you so much

There’s 2 steps to have firewall let you use specific ports:

  1. Assign the network connection to a firewall zone (General configuration tab)
  2. Open wanted ports for that firewall zone (YaST Firewall and/or config files)

What step from above did you do when you mention the public/trusted zone? On YaST Firewall there are some predefined services you can add to a given firewall zone, including some known samba configurations.

Hello

1 - Yes, Network connection assigned to zone = public
2 - All ports tcp/udp from samba-ad-dc put in zone-=public

samba-ad-dc is different that only samba, I think! And it does not as predefined service in firewall zone. For this I get samba-ad-dc ports to try open them but, not works or still stay blocked!

thanks

Look in the logs:

sudo less /var/log/firewalld

To create a custom service definition, you need to:

  1. Create a service .xml file
  2. Restart the firewall service so it becomes aware of the new service
  3. Add the service to the running firewall’s zone
  4. Make it permanent

Possibly you’ve forgotten one step, or have done in a different order:


sudo tee /etc/firewalld/services/spotify.xml >/dev/null <<EOF
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Spotify</short>
  <description>Spotify Connect</description>
  <port protocol="udp" port="5353"/>
  <port protocol="tcp" port="57621"/>
</service>
EOF

sudo systemctl restart firewalld
sudo firewall-cmd --zone=home --add-service=spotify
sudo firewall-cmd --permanent --zone=home --add-service=spotify

Create a custom service eg /etc/firewalld/services/samba-dc.xml


<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Samba DC</short>
  <description>This option allows you to use this computer as a Samba Active Directory Domain Controller. You need the samba-dc package installed for this option to be useful.</description>
  <port protocol="tcp" port="53"/><!-- DNS -->
  <port protocol="udp" port="53"/><!-- DNS -->
  <port protocol="tcp" port="88"/><!-- Kerberos -->
  <port protocol="udp" port="88"/><!-- Kerberos -->
  <port protocol="tcp" port="135"/><!-- End Point Mapper (DCE/RPC Locator Service -->
  <port protocol="udp" port="137"/><!-- NetBIOS Name Service -->
  <port protocol="udp" port="138"/><!-- NetBIOS Datagram -->
  <port protocol="tcp" port="139"/><!-- NetBIOS Session -->
  <port protocol="tcp" port="389"/><!-- LDAP -->
  <port protocol="udp" port="389"/><!-- CLDAP -->
  <port protocol="tcp" port="445"/><!-- SMB over TCP -->
  <port protocol="tcp" port="464"/><!-- Kerberos kpasswd -->
  <port protocol="udp" port="464"/><!-- Kerberos kpasswd -->
  <port protocol="tcp" port="636"/><!-- LDAPS -->
  <port protocol="tcp" port="49152-65535"/><!-- Dynamic RPC Ports -->
  <port protocol="tcp" port="3268"/><!-- Global Catalog -->
  <port protocol="tcp" port="3269"/><!-- Global Catalog SSL -->
  <module name="netbios-ns"/>
</service>

Once that’s done, do

sudo firewalld --reload

Add the service to the appropriate zone. For example

sudo firewall-cmd --zone=trusted --add-service=samba-dc

See how that goes.

Hello!
How are you?

I tried 2 options from the thread and after save firewalld and up it or starting server it does not works or stay blocked.
follow picture:

Imgur

Thanks attentiom

Are you sure this is a firewall issue? Did you try with firewall inactive? It might also be a name resolution problem perhaps. You could try specifying the FQDN explicitly eg

net ads join -U administrator -S domain_controller.example.com

Samba reference guide:
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#Troubleshooting_the_Domain_Join_Procedure

What kind of SAMBA services are you running on this machine?
Is it a SAMBA Domain Controller or simply a SAMBA file server?

TSU

Good question. I initially assumed the OP was setting up a controller (that’s what the firewall service is for), but this appears to be a client host joining a samba domain.

Hello

Here the picture when ad-dc is with firewall **off.

**Imgur: The magic of the Internet

As you can see, the member could join to ad-dc
if I let firewall **on, **same with service samba-dc created to open ports it does not do the member join to ad-dc machine.

Hello

The service that I am running is samba-ad-dc
from: https://software.opensuse.org/package/samba-ad-dc
since started install **samba-ad-dc **from “how to” on google and samba wiki you can not run 2 services on the same server: or you run samba file server or samba-ad-dc and you need remove someone to has not packages and services problems. Until now I did read about this or can I be wrong.

Thank you!

Ok, thanks for clarifying here.

Hello!

Any Idea how to fix this?

Thank you

You didn’t show us what happens of you try to connect by specifying the domain controller server FQDNexplicitly (refer post #7)

net ads join -U administrator -S ad.prefprude.br

Also, please confirm to us the current firewall config.

Hello!

I think that found problem. No firewalld, no samba-ad-dc. The firewall is working good after insert samba-ad-dc ports: yast2-firewall-public-ports - TCP ports and UDP ports and ok, solved.
The problem is when start server, after check:

systemctl status samba-ad-dc


samba[1197]:   /usr/sbin/samba_dnsupdate: WARNING: no network interfaces found

I follow this


"the proper fix would be to go to "Network|Interface Management" in the GUI and click the save button"

So, restart samba-ad-dc


systemctl restart samba-ad-dc

And ok, the Member can join to DC follow the samba wiki

I tested with other distro and works nice but, I would like use Opensuse

Now, need fix NM

thank you

Douglas


Ok, I’m not completely clear on what you hadn’t done, but glad to read of your success with this anyway. :wink:

I did all (following wiki). But, still have an error/problem. Every time that server needs reset or shutdown, after boot need to go to Network Manager, click in it and click save and restart samba-ad-dc to works fine (Network Manager “see” correctly eth0 - network for samba-ad-dc) as AD-DC. At the last week I had test with debian and works fine.
So, I think that can have something to fix Network Manager.

I am not use Wicked because does not works simply on Oracle VM

Thanks