Can I join a linux server to active directory from outside the network (across the internet using kerberos)

Posted on 2014-08-20
Last Modified: 2014-08-25
Here's what I'm trying to do:

I'd like to move my mail server outside of my LAN into the cloud for various reasons. The mailserver will be a linux machine, but our network is windows based, so users are authenticating against Active Directory. Each authenticated user gets a mailbox, pretty standard.

Now - I can use samba/winbind/krb5 to join a Linux mailserver to the AD domain very easily and happily have users authenticate to this machine using their domain credentials to retreive mail. What I'd like to do as part of this migration has not proved to be so simple. Even though the server is leaving the confines of the local network, I'd still like users to log in using their domain credentials (via kerberos) as before.

My question is a bit open ended... I've done a bit of reading which suggests kerberos is fairly sturdy and safe to use over the internet security-wise and so I've continued with the assumption that with the correct firewall setup it should be possible and not a huge security headache, I'm just not sure of the correct way to go about persuading my Windows domain controller to authenticate a user logging into a machine which lives on a separate network (calling in over the internet). My niaive assumption was you open up port 88, synchronise your clocks, and you can join the domain just as you normally would from within the LAN, however having gone through the normal steps (something I've done a few times with little trouble) I'm thinking I need to tell AD that it's okay to accept kerberos requests from this external source, or that there are more ports required than just the kerberos port (88).

Does anyone have any experience doing anything like this, or is it a fools errand?

One final note: a VPN is unfortunately not an option in this case, nor is a windows operating system for the remote computer.
Question by:Joe_Pritchard
    LVL 25

    Assisted Solution

    by:Zephyr ICT
    Well, since you've already said a VPN is not a possibility, I'm kinda reluctant to help because that would be the best solution ...

    But anyway, port 88 will be needed, but at a minimum port 389 (LDAP) will be needed as well, actually I think following ports will be needed:

    3268 - TCP (LDAP GC)
    389 - TCP/UDP (LDAP)
    88 - UDP/TCP (KERB)
    464 - UDP/TCP (Chg passw KERB)
    53 - TCP/UDP (DNS Obviously)
    And possibly 445 - TCP/UDP (SMB)
    LVL 25

    Accepted Solution

    Honestly, I don't think I'd try this without a VPN. If you really want to give it a go, though, this should prove to be useful:

    Service overview and network port requirements for Windows

    The Active Directory (Local Security Authority) section will be the most relevant one. The range of ports that must be opened for RPC is kind of a nightmare.
    LVL 1

    Author Closing Comment

    Hi Folks

    Thanks for your input.  I've been looking over the documentation suggested by DrDave242, and I also tried out the list of ports suggested by spravtek (no good, although opening the firewall that much gives me a nasty feeling so I probably wouldn't have left it like that permanently)

    In light if this I'm going to declare that it's not the way to go and suggest some alternatives. Chalk it up to a learning experience.

    Thanks for your time though.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now