Which TCP/UDP ports are used for Active Directory authentication when using winbind?

Solution Verified - Updated 20 Dec 2024

Environment

Red Hat Enterprise Linux 5, 6, 7, 8, 9
samba-winbind

Issue

In an environment as Windows Active Directory works as authentication server, the customer wants to know source port number (range) and destination port number of RHEL as authentication client.
I guess winbind works at that time.

Resolution

When we look at the smb service this service listens on two tcp ports by default. This is dictated by the "smb ports = 445 139" setting in smb.conf. In the example below you can see the rhel system running both on ipv4 and ipv6.

You can also see winbind operating on random source ports and connecting to 445 and 389. these are common connection that winbind will make this to different AD controllers. In this example this is a controller in the primary domain. Also notice that winbind is using a connection from a random source port to the "TCP Dynamic" range on AD. You can find this referenced in the link above.

If there are trusted domains in most case winbind will spawn a pid per domain and this pid will connect the a controller in the specific trusted domain. This will very depending on the environment.

# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   

tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      25886/smbd          
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      25886/smbd          
tcp        0      0 :::139                      :::*                        LISTEN      25886/smbd          
tcp        0      0 :::445                      :::*                        LISTEN      25886/smbd          

tcp        0      0 10.13.211.119:41967         10.13.211.118:445           ESTABLISHED 25797/winbindd      
tcp        0      0 10.13.211.119:52965         10.13.211.118:49155         ESTABLISHED 25797/winbindd      
tcp        0      0 10.13.211.119:33393         10.13.211.118:389           ESTABLISHED 25797/winbindd

the nmb service will listen on these ports and will communicate to others systems for wins requests over these ports.

# netstat -anpu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
udp        0      0 10.13.211.255:137           0.0.0.0:*                               5567/nmbd           
udp        0      0 10.13.211.119:137           0.0.0.0:*                               5567/nmbd           
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               5567/nmbd           
udp        0      0 10.13.211.255:138           0.0.0.0:*                               5567/nmbd           
udp        0      0 10.13.211.119:138           0.0.0.0:*                               5567/nmbd           
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               5567/nmbd

Also, winbind will use dynamic ports (ephemeral ports) as source port and 88 as destination port. (IANA) suggests the range 49152 to 65535 and this is what winbind will use.

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

samba

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.