diff --git a/.env b/.env index 19d3af3..0d1b92b 100644 --- a/.env +++ b/.env @@ -1,3 +1,4 @@ PRIMARYIP=192.168.110.4 SECONDARYIP=192.168.110.34 -RESTOREDIP=192.168.110.10 +RESTOREDIP=192.168.110.12 +FORWARDERIP=192.168.110.10 diff --git a/README.md b/README.md index 64897b1..db89a6f 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Samba ad dcイメージのベースとなるイメージを作成する。 スクリプトの修正等でコンテナを作り直す際に、最低限のダウンロードで済ませるため。 ``` -./mkbaseimage.sh +sudo baseimage/mkbaseimage.sh ``` ### 目的のdocker-compose.ymlを作成する @@ -43,7 +43,9 @@ cp docker-compose.yml.primary docker-compose.yml ### ホストのIPアドレスを設定する .envにプライマリーDC、セカンダリーDC、リストアドDCのコンテナを動作させるホストのIPアドレスを設定する。 -ホームラボのホストが指定してあるので、適宜変更する。 +あわせて各DCのフォワード先IPアドレスを設定する。 + +ダウンロードした.envにはホームラボのホストが指定してあるので、環境に合わせて変更する。 セカンダリーDC、リストアドDCを使わない場合は、未設定で問題はない。 ### 動作条件を設定する @@ -57,7 +59,9 @@ docker-compose.ymlで動作条件を設定する。 | SMB_DOMAIN | レルムのドメイン名 | | SMB_ADMINPASS | administratorのパスワード | | SMB_HOSTIP | コンテナを動作させるホストのIPアドレス | +| SMB_FORWARD | フォワード先となるDNSのIPアドレス | | SMB_RPC_PORTS | RPCで使用するポート範囲 | +| SMB_WEB_PORTS | Apacheが使用するポート | | SMB_PURPOSE | "primary"として、プライマリーDCとする | | SMB_USEBIND9 | DNSの選択 "false":内蔵 "true":BIND9 | | RSY_SECONDARY | セカンダリーのIPアドレス
SMB_PURPOSEが"primary"の場合に有効 | @@ -65,16 +69,6 @@ docker-compose.ymlで動作条件を設定する。 ※SMB_PURPOSEは、"secondary"と"restore"を指定可能だが、それぞれ別にymlを用意してあるので、それを使うこと。 -#### ports: - -IPアドレスを指定してポートをマッピングしている。 -コンテナを動作させるホストのIPアドレスを設定する。 - -#### dns: - -Samba ad dcが名前解決でフォワードするDNSのIPアドレスを設定する。 -ホームラボのDNSを指定してあるので、適宜変更する。 - ### 証明書類を準備する ドメインで使用する証明書類をpackages/cert に配置する。 @@ -94,16 +88,27 @@ Samba ad dcが名前解決でフォワードするDNSのIPアドレスを設定 ### ファイアウォールの設定 -コンテナからホストへのアクセスを許可する。 - -コンテナのIPアドレスはdocker-compose.ymlで指定したもの。 -変更した場合には、fromのIPアドレスを書き換えること。 -また、toはコンテナを動作させるホストのIPアドレスを指定する。 +ファイアウォールを設定するスクリプトを実行する。 ``` -sudo ufw allow from 172.26.0.101 to 192.168.110.4 comment "From container" +sudo ./setufw.sh ``` +このスクリプトはどこから接続されても良い、という設定をしているので、接続元を限定したい場合には、 + +``` +ufw $1 allow to any port 53 proto any from any comment "DNS" +``` + +の from のところに限定したい範囲を書いておく。 + +何らかの理由で追加したファイアウォールの設定を解除するなら、以下を実行する。 + +``` +sudo ./setufw.sh delete +``` + + ### コンテナを起動 コンテナを構築して起動する。 @@ -121,8 +126,8 @@ phpLDAPadminとLDAP Account Managerのポート8081にリバースプロキシ /etc/apache2/sites-available/myservice.conf ``` - ServerAdmin webmaster@hogeserver.hogeddns.jp - ServerName addc.hogeserver.hogeddns.jp + ServerAdmin webmaster@example.net + ServerName addc.example.net DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log @@ -136,8 +141,8 @@ phpLDAPadminとLDAP Account Managerのポート8081にリバースプロキシ # SSL SSLEngine on - SSLCertificateFile /etc/ssl/private/wild.hoge.crt - SSLCertificateKeyFile /etc/ssl/private/wild.hoge.key + SSLCertificateFile /etc/ssl/private/example.net.crt + SSLCertificateKeyFile /etc/ssl/private/example.net.key ``` @@ -149,7 +154,8 @@ sudo a2enmod proxy_http ssl sudo systemctl restart apache2 ``` -なお、リバースプロキシ設定せずに、8081ポートに直接アクセスすることもできる。 +なお、リバースプロキシ設定せずに、8081ポートに直接アクセスすることもできる。 +この場合にはファイアウォールで8081/tcpを解放する。 ## 使用方法 @@ -160,10 +166,10 @@ sudo docker exec -it samba bash --login ``` phpLDAPadminにはブラウザでアクセスできる。ドメイン部分は環境に合わせる。 -https://addc.hogeserver.hogeddns.jp/phpldapadmin +https://addc.example.net/phpldapadmin LDAP Account Managerも同様。 -https://addc.hogeserver.hogeddns.jp/lam +https://addc.example.net/lam ## その他 diff --git a/baseimage/mkbaseimage.sh b/baseimage/mkbaseimage.sh new file mode 100755 index 0000000..485c4f1 --- /dev/null +++ b/baseimage/mkbaseimage.sh @@ -0,0 +1,3 @@ +#!/bin/bash +cd $(dirname ${0}) +docker build -t custom/samba:0.0.1 -f $PWD/Dockerfile . diff --git a/docker-compose.yml.primary b/docker-compose.yml.primary index 1fe562f..da88d76 100644 --- a/docker-compose.yml.primary +++ b/docker-compose.yml.primary @@ -8,11 +8,13 @@ services: restart: unless-stopped environment: TZ: Asia/Tokyo - SMB_REALM: HOGESERVER.HOGEDDNS.JP + SMB_REALM: EXAMPLE.NET SMB_DOMAIN: HOGEDOMAIN SMB_ADMINPASS: p@ssword123 SMB_HOSTIP: ${PRIMARYIP} + SMB_FORWARD: ${FORWARDERIP} SMB_RPC_PORTS: 49152-49200 + SMB_WEB_PORTS: 8081 SMB_PURPOSE: "primary" SMB_USEBIND9: "false" #RSY_SECONDARY: ${SECONDARYIP} @@ -23,47 +25,13 @@ services: - bind_etc:/etc/bind - bind_lib:/var/lib/bind - lam:/var/lib/ldap-account-manager - networks: - samba: - ipv4_address: 172.26.0.101 - ports: - - ${PRIMARYIP}:53:53 #DNS - - ${PRIMARYIP}:53:53/udp #DNS - - ${PRIMARYIP}:135:135 #End Point Mapper(WINS) - - ${PRIMARYIP}:137:137/udp #NetBIOS Name Service - - ${PRIMARYIP}:138:138/udp #NetBIOS Datagram - - ${PRIMARYIP}:139:139 #NetBIOS Session - - ${PRIMARYIP}:445:445 #SMB over TCP - - ${PRIMARYIP}:389:389 #LDAP - - ${PRIMARYIP}:389:389/udp #LDAP - - ${PRIMARYIP}:636:636 #LDAPS - - ${PRIMARYIP}:88:88 #Kerberos - - ${PRIMARYIP}:88:88/udp #Kerberos - - ${PRIMARYIP}:464:464 #Kerberos kpasswd - - ${PRIMARYIP}:464:464/udp #Kerberos kpasswd - - ${PRIMARYIP}:3268:3268 #Global Catalog - - ${PRIMARYIP}:3269:3269 #Global Catalog SSL - #RPC The same value as SMB_RPC_PORTS. - - ${PRIMARYIP}:49152-49200:49152-49200 - - 873:873 #rsync - - 8081:80 #phpLDAPadmin & LDAP Account Manager + network_mode: "host" hostname: addc dns: - - 192.168.110.1 + - ${PRIMARYIP} dns_search: - - hogeserver.hogeddns.jp + - example.net privileged: true - devices: - - /dev/net/tun - cap_add: - - NET_ADMIN - -networks: - samba: - ipam: - config: - - subnet: 172.26.0.0/16 - gateway: 172.26.0.1 volumes: samba_etc: diff --git a/docker-compose.yml.restore b/docker-compose.yml.restore index e5a608b..1ae64b7 100644 --- a/docker-compose.yml.restore +++ b/docker-compose.yml.restore @@ -9,11 +9,13 @@ services: restart: unless-stopped environment: TZ: Asia/Tokyo - SMB_REALM: HOGESERVER.HOGEDDNS.JP + SMB_REALM: EXAMPLE.NET SMB_DOMAIN: HOGEDOMAIN SMB_ADMINPASS: p@ssword123 SMB_HOSTIP: ${RESTOREDIP} + SMB_FORWARD: ${FORWARDERIP} SMB_RPC_PORTS: 49152-49200 + SMB_WEB_PORTS: 8081 SMB_PURPOSE: "restore" volumes: - samba_etc:/etc/samba @@ -21,47 +23,13 @@ services: - bind_etc:/etc/bind - bind_lib:/var/lib/bind - lam:/var/lib/ldap-account-manager - networks: - samba: - ipv4_address: 172.26.0.103 - ports: - - ${RESTOREDIP}:53:53 #DNS - - ${RESTOREDIP}:53:53/udp #DNS - - ${RESTOREDIP}:135:135 #End Point Mapper(WINS) - - ${RESTOREDIP}:137:137/udp #NetBIOS Name Service - - ${RESTOREDIP}:138:138/udp #NetBIOS Datagram - - ${RESTOREDIP}:139:139 #NetBIOS Session - - ${RESTOREDIP}:445:445 #SMB over TCP - - ${RESTOREDIP}:389:389 #LDAP - - ${RESTOREDIP}:389:389/udp #LDAP - - ${RESTOREDIP}:636:636 #LDAPS - - ${RESTOREDIP}:88:88 #Kerberos - - ${RESTOREDIP}:88:88/udp #Kerberos - - ${RESTOREDIP}:464:464 #Kerberos kpasswd - - ${RESTOREDIP}:464:464/udp #Kerberos kpasswd - - ${RESTOREDIP}:3268:3268 #Global Catalog - - ${RESTOREDIP}:3269:3269 #Global Catalog SSL - #RPC The same value as SMB_RPC_PORTS. - - ${RESTOREDIP}:49152-49200:49152-49200 - - 873:873 #rsync - - 8081:80 #phpLDAPadmin & LDAP Account Manager + network_mode: "host" hostname: addcr dns: - - 192.168.110.1 + - ${RESTOREDIP} dns_search: - - hogeserver.hogeddns.jp + - example.net privileged: true - devices: - - /dev/net/tun - cap_add: - - NET_ADMIN - -networks: - samba: - ipam: - config: - - subnet: 172.26.0.0/16 - gateway: 172.26.0.1 volumes: samba_etc: diff --git a/docker-compose.yml.secondary b/docker-compose.yml.secondary index 92b12af..3115f0a 100644 --- a/docker-compose.yml.secondary +++ b/docker-compose.yml.secondary @@ -8,11 +8,13 @@ services: restart: unless-stopped environment: TZ: Asia/Tokyo - SMB_REALM: HOGESERVER.HOGEDDNS.JP + SMB_REALM: EXAMPLE.NET SMB_DOMAIN: HOGEDOMAIN SMB_ADMINPASS: p@ssword123 SMB_HOSTIP: ${SECONDARYIP} + SMB_FORWARD: ${FORWARDERIP} SMB_RPC_PORTS: 49152-49200 + SMB_WEB_PORTS: 8081 SMB_PURPOSE: "secondary" SMB_USEBIND9: "false" RSY_PRIMARY: ${PRIMARYIP} @@ -23,47 +25,13 @@ services: - bind_etc:/etc/bind - bind_lib:/var/lib/bind - lam:/var/lib/ldap-account-manager - networks: - samba: - ipv4_address: 172.26.0.102 - ports: - - ${SECONDARYIP}:53:53 #DNS - - ${SECONDARYIP}:53:53/udp #DNS - - ${SECONDARYIP}:135:135 #End Point Mapper(WINS) - - ${SECONDARYIP}:137:137/udp #NetBIOS Name Service - - ${SECONDARYIP}:138:138/udp #NetBIOS Datagram - - ${SECONDARYIP}:139:139 #NetBIOS Session - - ${SECONDARYIP}:445:445 #SMB over TCP - - ${SECONDARYIP}:389:389 #LDAP - - ${SECONDARYIP}:389:389/udp #LDAP - - ${SECONDARYIP}:636:636 #LDAPS - - ${SECONDARYIP}:88:88 #Kerberos - - ${SECONDARYIP}:88:88/udp #Kerberos - - ${SECONDARYIP}:464:464 #Kerberos kpasswd - - ${SECONDARYIP}:464:464/udp #Kerberos kpasswd - - ${SECONDARYIP}:3268:3268 #Global Catalog - - ${SECONDARYIP}:3269:3269 #Global Catalog SSL - #RPC The same value as SMB_RPC_PORTS. - - ${SECONDARYIP}:49152-49200:49152-49200 - - 8081:80 #phpLDAPadmin & LDAP Account Manager + network_mode: "host" hostname: addc2 dns: - - ${PRIMARYIP} #Used for domain to join - #- 192.168.110.1 #Used for normal operation + - ${SECONDARYIP} dns_search: - - hogeserver.hogeddns.jp + - example.net privileged: true - devices: - - /dev/net/tun - cap_add: - - NET_ADMIN - -networks: - samba: - ipam: - config: - - subnet: 172.26.0.0/16 - gateway: 172.26.0.1 volumes: samba_etc: @@ -71,5 +39,3 @@ volumes: bind_etc: bind_lib: lam: -# private: -# sysvol: diff --git a/mkbaseimage.sh b/mkbaseimage.sh deleted file mode 100755 index 0dac5ad..0000000 --- a/mkbaseimage.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -cd $(dirname ${0}) -sudo docker build -t custom/samba:0.0.1 -f $PWD/baseimage/Dockerfile . diff --git a/packages/config-primary.sh b/packages/config-primary.sh index c1600c6..6f7d455 100755 --- a/packages/config-primary.sh +++ b/packages/config-primary.sh @@ -14,7 +14,7 @@ if [ -z "$(ls /var/lib/samba/private)" ]; then --domain=$SMB_DOMAIN --server-role=dc --adminpass=$SMB_ADMINPASS - --option=\"dns forwarder = 127.0.0.11\" + --option=\"dns forwarder = $SMB_FORWARD\" --option=\"dns update command = /usr/sbin/samba_dnsupdate --current-ip $SMB_HOSTIP\" --option=\"template homedir = /home/%D/%U\" --option=\"template shell = /bin/bash\" @@ -23,6 +23,8 @@ if [ -z "$(ls /var/lib/samba/private)" ]; then --option=\"idmap config $SMB_DOMAIN:unix_nss_info = yes\" --option=\"idmap config $SMB_DOMAIN:unix_primary_group = yes\" --option=\"rpc server dynamic port range = $SMB_RPC_PORTS\" + --option=\"bind interfaces only = yes\" + --option=\"interfaces = $SMB_HOSTIP 127.0.0.1\" --host-ip=$SMB_HOSTIP " if [ $SMB_USEBIND9 = "true" ]; then @@ -122,6 +124,9 @@ EOF echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf a2enconf fqdn + # Sets the port used by apache. + sed -i "s/Listen 80/Listen $SMB_WEB_PORTS/" /etc/apache2/ports.conf + # Setup phpLdapAdmin. if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then a2dismod php8.1 @@ -164,11 +169,6 @@ fi #---------------------------------------------------------------------- echo "Setting to do every time" -# Resolver settings. -cp /etc/resolv.conf /root/packages/resolv.conf -sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf -cat /root/packages/resolv.conf > /etc/resolv.conf - # Switch DNS backend. if [ $SMB_USEBIND9 = "true" ]; then if [ ! -e /var/lib/samba/bind-dns/named.conf ]; then @@ -179,7 +179,7 @@ if [ $SMB_USEBIND9 = "true" ]; then cp -a /etc/bind/named.conf /etc/bind/named.conf.bak sed -i "\$a include \"/var/lib/samba/bind-dns/named.conf\";" /etc/bind/named.conf cp -a /etc/bind/named.conf.options /etc/bind/named.conf.options.bak - sed -i "/listen-on-v6/a\\\n\tforwarders { 127.0.0.11; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options + sed -i "/listen-on-v6/a\\\n\tforwarders { $SMB_FORWARD; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options cp -a /etc/bind/named.conf.local /etc/bind/named.conf.local.bak sed -i "s@^//include@include@" /etc/bind/named.conf.local fi diff --git a/packages/config-restore.sh b/packages/config-restore.sh index 2fc3484..4cd77fd 100755 --- a/packages/config-restore.sh +++ b/packages/config-restore.sh @@ -16,7 +16,9 @@ if [ -z "$(ls /var/lib/samba/private)" ]; then --backup-file=$(ls /root/packages/samba-backup-*) \ --newservername=$(hostname) \ --targetdir=/root/packages/restore \ - --host-ip=$SMB_HOSTIP + --host-ip=$SMB_HOSTIP \ + --option="dns forwarder = $SMB_FORWARD" \ + --option="interfaces = $SMB_HOSTIP 127.0.0.1" mv /root/packages/restore/etc/* /etc/samba/ rmdir /root/packages/restore/etc @@ -72,6 +74,9 @@ if [ ! -e /root/packages/configured ]; then echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf a2enconf fqdn + # Sets the port used by apache. + sed -i "s/Listen 80/Listen $SMB_WEB_PORTS/" /etc/apache2/ports.conf + # Setup phpLdapAdmin. if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then a2dismod php8.1 @@ -112,9 +117,4 @@ fi #---------------------------------------------------------------------- # Container and Volumes is left. #---------------------------------------------------------------------- -echo "Setting to do every time" - -# Resolver settings. -cp /etc/resolv.conf /root/packages/resolv.conf -sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf -cat /root/packages/resolv.conf > /etc/resolv.conf +#echo "Setting to do every time" diff --git a/packages/config-secondary.sh b/packages/config-secondary.sh index cd65fe7..19a87b2 100755 --- a/packages/config-secondary.sh +++ b/packages/config-secondary.sh @@ -9,10 +9,11 @@ if [ -z "$(ls /var/lib/samba/private)" ]; then # Make join parameters. SMB_TMP_PARAM=" + --server=${RSY_PRIMARY} --username=administrator --password=$SMB_ADMINPASS --realm=$SMB_REALM - --option=\"dns forwarder = 127.0.0.11\" + --option=\"dns forwarder = ${SMB_FORWARD}\" --option=\"dns update command = /usr/sbin/samba_dnsupdate --current-ip $SMB_HOSTIP\" --option=\"rpc server dynamic port range = $SMB_RPC_PORTS\" --option=\"template homedir = /home/%D/%U\" @@ -22,6 +23,8 @@ if [ -z "$(ls /var/lib/samba/private)" ]; then --option=\"idmap config $SMB_DOMAIN:unix_nss_info = yes\" --option=\"idmap config $SMB_DOMAIN:unix_primary_group = yes\" --option=\"idmap_ldb:use rfc2307 = yes\" + --option=\"bind interfaces only = yes\" + --option=\"interfaces = $SMB_HOSTIP 127.0.0.1\" " if [ $SMB_USEBIND9 = "true" ]; then SMB_TMP_PARAM+=" --dns-backend=BIND9_DLZ" @@ -68,21 +71,6 @@ if [ -z "$(ls /var/lib/samba/private)" ]; then mv --backup=numbered /etc/samba/smb.conf /etc/samba/smb.conf.bak eval samba-tool domain join $SMB_REALM DC "$SMB_TMP_PARAM" if [ $? -ne 0 ]; then exit 0; fi - - # Deletion of IP addresses in the container registered in Primary DNS - MYHOSTIP=$(grep $(hostname) /etc/hosts | sed "s/^\(.*\)\s.*/\1/") - MYHOSTNM=$(hostname) - samba-tool dns update $SMB_REALM \ - $SMB_REALM $MYHOSTNM \ - A $MYHOSTIP $SMB_HOSTIP \ - --username Administrator --password $SMB_ADMINPASS - # Delete myhostip after 30 sec. - /bin/bash -c "sleep 30; - samba-tool dns delete localhost \ - $SMB_REALM $MYHOSTNM \ - A $MYHOSTIP \ - --username Administrator --password $SMB_ADMINPASS - " & fi #---------------------------------------------------------------------- @@ -131,6 +119,9 @@ EOF echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf a2enconf fqdn + # Sets the port used by apache. + sed -i "s/Listen 80/Listen $SMB_WEB_PORTS/" /etc/apache2/ports.conf + # Setup phpLdapAdmin. if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then a2dismod php8.1 @@ -173,11 +164,6 @@ fi #---------------------------------------------------------------------- echo "Setting to do every time" -# Resolver settings. -cp /etc/resolv.conf /root/packages/resolv.conf -sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf -cat /root/packages/resolv.conf > /etc/resolv.conf - # Switch DNS backend. if [ $SMB_USEBIND9 = "true" ]; then if [ ! -e /var/lib/samba/bind-dns/named.conf ]; then @@ -188,7 +174,7 @@ if [ $SMB_USEBIND9 = "true" ]; then cp -a /etc/bind/named.conf /etc/bind/named.conf.bak sed -i "\$a include \"/var/lib/samba/bind-dns/named.conf\";" /etc/bind/named.conf cp -a /etc/bind/named.conf.options /etc/bind/named.conf.options.bak - sed -i "/listen-on-v6/a\\\n\tforwarders { 127.0.0.11; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options + sed -i "/listen-on-v6/a\\\n\tforwarders { ${SMB_FORWARD}; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options cp -a /etc/bind/named.conf.local /etc/bind/named.conf.local.bak sed -i "s@^//include@include@" /etc/bind/named.conf.local fi diff --git a/setufw.sh b/setufw.sh new file mode 100755 index 0000000..3a75155 --- /dev/null +++ b/setufw.sh @@ -0,0 +1,17 @@ +#!/bin/bash +ufw $1 allow to any port 53 proto any from any comment "DNS" +ufw $1 allow to any port 135 proto tcp from any comment "End Point Mapper(WINS)" +ufw $1 allow to any port 137 proto udp from any comment "NetBIOS Name Service" +ufw $1 allow to any port 138 proto udp from any comment "NetBIOS Datagram" +ufw $1 allow to any port 139 proto tcp from any comment "NetBIOS Session" +ufw $1 allow to any port 445 proto tcp from any comment "SMB over TCP" +ufw $1 allow to any port 389 proto any from any comment "LDAP" +ufw $1 allow to any port 636 proto tcp from any comment "LDAPS" +ufw $1 allow to any port 88 proto any from any comment "Kerberos" +ufw $1 allow to any port 464 proto any from any comment "Kerberos kpasswd" +ufw $1 allow to any port 3268 proto tcp from any comment "Global Catalog" +ufw $1 allow to any port 3269 proto tcp from any comment "Global Catalog SSL" +ufw $1 allow to any port 49152:49200 \ + proto tcp from any comment "RPC The same value as SMB_RPC_PORTS." +# for Primary +ufw $1 allow to any port 873 proto tcp from any comment "rsync"