We wondered just exactly what ports were being used by Active Directory and associated resource access. This can be monitored using TCPDump. If we run the following commands:
[root@srv-34 root]# kinit administrator@SIGNALQINT.COM Password for administrator@SIGNALQINT.COM: [root@srv-34 root]# smbclient //10.50.100.36/public -k added interface ip=10.50.100.53 bcast=10.50.100.255 nmask=255.255.255.0 Doing spnego session setup (blob length=106) Doing kerberos session setup OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: > [root@srv-34 root]# |
This shows up in the following TCPDump session:
[root@srv-1 doc]# /usr/sbin/tcpdump dst 10.50.100.36 -nn -q tcpdump: listening on eth0 10.50.100.53.1026 > 10.50.100.36.88: udp 10.50.100.53.1026 > 10.50.100.36.88: udp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1026 > 10.50.100.36.88: udp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 10.50.100.53.1033 > 10.50.100.36.445: tcp 15 packets received by filter |
Our Active Directory server is at address 10.50.100.36. Port 88 is Kerberos v5, and port 445 is microsoft-ds. The initial authentication gets two hits on port 88, but we get one more hit on port 88 in between a bunch of port 445s when we connect to the public share. Even when we transfer a file from the share, all traffic is still via port 445.
