RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1411650 - [RFE] should include additional xml file for opening all the required ports used while configuring trust among IPA and AD
Summary: [RFE] should include additional xml file for opening all the required ports u...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-10 08:37 UTC by mpanaous
Modified: 2020-02-14 18:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 16:22:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Proposed freeipa-trust service file for firewalld (590 bytes, application/xml)
2017-01-16 13:58 UTC, Thomas Woerner
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1934 0 normal SHIPPED_LIVE firewalld bug fix and enhancement update 2017-08-01 17:55:15 UTC

Description mpanaous 2017-01-10 08:37:49 UTC
Description of problem:
As seen there are already 3 related files with IPA and the required ports that should be opened during the product installation

/usr/lib/firewalld/services/freeipa-ldaps.xml 
/usr/lib/firewalld/services/freeipa-ldap.xml
/usr/lib/firewalld/services/freeipa-replication.xml 

The main idea behind this RFE is to create a new xml file (probably named freeipa-trust) as to handle all the ports required during the deployment of a trust setup

So, according to the following those are required ports


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#trust-req-ports

Endpoint resolution portmapper	135	        TCP
NetBIOS-DGM	                138	        TCP and UDP
NetBIOS-SSN	                139	        TCP and UDP
LDAP	                        389	        TCP and UDP ⁠
Microsoft-DS	                445	        TCP and UDP
Endpoint mapper listener range	1024-1300	TCP
AD Global Catalog	        3268	        TCP





Version-Release number of selected component (if applicable):
-

How reproducible:
-

Steps to Reproduce:
1.
2.
3.

Actual results:
instead of adding manually the ports to have the option to execute 

firewall-cmd --add-service=freeipa-trust

Expected results:
the same as above

Additional info:
probably need to add a short note also to the description section of the previously mentioned files

<description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAP protocol. You can also enable the 'freeipa-ldaps' service if you want to provide the LDAPS protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description>

Comment 2 Thomas Woerner 2017-01-16 13:56:38 UTC
According to the link above the port

  LDAP 	389 	TCP and UDP ⁠[a]

is not required to be open on IdM servers for trust, but it is necessary for clients communicating with the IdM server.

Should it be part of freeipa-trust still?

Comment 3 Thomas Woerner 2017-01-16 13:58:41 UTC
Created attachment 1241245 [details]
Proposed freeipa-trust service file for firewalld

Please adapt the service file as needed. The documentation (short and description) might need some more information.

Comment 10 errata-xmlrpc 2017-08-01 16:22:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934


Note You need to log in before you can comment on or make changes to this bug.