PrintLogo

Ports Used For Active Directory Authentication and Resource Access




We wondered just exactly what ports were being used by Active Directory and associated resource access. This can be monitored using TCPDump. If we run the following commands: 

[root@srv-34 root]# kinit administrator@SIGNALQINT.COM
Password for administrator@SIGNALQINT.COM:
[root@srv-34 root]# smbclient //10.50.100.36/public -k
added interface ip=10.50.100.53 bcast=10.50.100.255 nmask=255.255.255.0
Doing spnego session setup (blob length=106)
Doing kerberos session setup
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: >
[root@srv-34 root]#

This shows up in the following TCPDump session: 

[root@srv-1 doc]# /usr/sbin/tcpdump dst 10.50.100.36 -nn -q
tcpdump: listening on eth0
10.50.100.53.1026 > 10.50.100.36.88:  udp
10.50.100.53.1026 > 10.50.100.36.88:  udp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1026 > 10.50.100.36.88:  udp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
10.50.100.53.1033 > 10.50.100.36.445: tcp
15 packets received by filter

Our Active Directory server is at address 10.50.100.36. Port 88 is Kerberos v5, and port 445 is microsoft-ds. The initial authentication gets two hits on port 88, but we get one more hit on port 88 in between a bunch of port 445s when we connect to the public share. Even when we transfer a file from the share, all traffic is still via port 445.



This article comes from NetAdminTools:
http://www.netadmintools.com/

The URL for this story is:
http://www.netadmintools.com/art173.html

Copyright 1997-2008 NetAdminTools.com. Read our Terms of Use.