Bug 46809

Summary: Errors accessing Windows services (RDP, shares, MySQL) in UCS 4.3 domain (Samba 4.7)
Product: UCS Reporter: Arvid Requate <requate>
Component: Samba4Assignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: luft, stoeckigt, voelker
Version: UCS 4.3   
Target Milestone: UCS 4.3-0-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429 Enterprise Customer affected?: Yes
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2018040421001484, 2018032121001248, 2018031521000251 Bug group (optional):
Max CVSS v3 score:

Description Arvid Requate univentionstaff 2018-04-11 19:05:05 CEST 
We have a couple of reports about connection errors to Windows services like RDP, MySQL and Windows file share access.


It looks like the firewall of the UCS 4.3 Samba/AD DCs is blocking TCP ports dynamically allocated by Samba 4.7. The following adjustment fixed the issues (at least RDP and share access):

=============================================================================
ucr set \                                                                       
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all="ACCEPT" \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en="Dynamic RPC Ports (Samba)"

ucr unset \                                                                     
     security/packetfilter/package/univention-samba4/tcp/49152/all \
     security/packetfilter/package/univention-samba4/tcp/49152/all/en

service univention-firewall restart
=============================================================================

Please note that this needs to be adjusted on all UCS 4.3 Samba/AD DCs.
Comment 1 Arvid Requate univentionstaff 2018-04-11 19:16:31 CEST 
29178dc7c3 | Fix
6cdf97d17d | Advisory
Comment 2 Felix Botner univentionstaff 2018-04-12 15:09:25 CEST 
OK - access of windows share via ip 
OK - rdp to from windows to other windows client
OK - YAML
Comment 3 Arvid Requate univentionstaff 2018-04-18 13:52:02 CEST 
<http://errata.software-univention.de/ucs/4.3/15.html>