Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
As seen there are already 3 related files with IPA and the required ports that should be opened during the product installation
/usr/lib/firewalld/services/freeipa-ldaps.xml
/usr/lib/firewalld/services/freeipa-ldap.xml
/usr/lib/firewalld/services/freeipa-replication.xml
The main idea behind this RFE is to create a new xml file (probably named freeipa-trust) as to handle all the ports required during the deployment of a trust setup
So, according to the following those are required ports
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#trust-req-ports
Endpoint resolution portmapper 135 TCP
NetBIOS-DGM 138 TCP and UDP
NetBIOS-SSN 139 TCP and UDP
LDAP 389 TCP and UDP
Microsoft-DS 445 TCP and UDP
Endpoint mapper listener range 1024-1300 TCP
AD Global Catalog 3268 TCP
Version-Release number of selected component (if applicable):
-
How reproducible:
-
Steps to Reproduce:
1.
2.
3.
Actual results:
instead of adding manually the ports to have the option to execute
firewall-cmd --add-service=freeipa-trust
Expected results:
the same as above
Additional info:
probably need to add a short note also to the description section of the previously mentioned files
<description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAP protocol. You can also enable the 'freeipa-ldaps' service if you want to provide the LDAPS protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description>
According to the link above the port
LDAP 389 TCP and UDP [a]
is not required to be open on IdM servers for trust, but it is necessary for clients communicating with the IdM server.
Should it be part of freeipa-trust still?
Created attachment 1241245[details]
Proposed freeipa-trust service file for firewalld
Please adapt the service file as needed. The documentation (short and description) might need some more information.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:1934