From a566657f9d73a01b08017d251c4a0776d46265e2 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Fri, 30 Oct 2015 09:11:00 -0600
Subject: Incomplete ports for IPA AD Trust

- Add subsection to ipa-adtrust-install man page
- Update port information in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/5414

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/tools/ipa-adtrust-install       |  4 ++++
 install/tools/man/ipa-adtrust-install.1 | 25 +++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 1f41cc437..ff69d69e2 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,15 +472,19 @@ Setup complete
 
 You must make sure these network ports are open:
 \tTCP Ports:
+\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
+\t  * 1024..1300: epmap listener range
 \tUDP Ports:
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 389: (C)LDAP
 \t  * 445: microsoft-ds
 
+See the ipa-adtrust-install(1) man page for more details
+
 =============================================================================
 """)
     if admin_password:
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 06378b598..36c468336 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -36,6 +36,31 @@ configuration of the local range cannot be changed by running
 ipa\-adtrust\-install a second time because with changes here other objects
 might be affected as well.
 
+.SS "Firewall Requirements"
+In addition to the IPA server firewall requirements, ipa\-adtrust\-install requires
+the following ports to be open to allow IPA and Active Directory to communicate together:
+
+\fBTCP Ports\fR
+.IP
+\(bu 135/tcp EPMAP
+.IP
+\(bu 138/tcp NetBIOS-DGM
+.IP
+\(bu 139/tcp NetBIOS-SSN
+.IP
+\(bu 445/tcp Microsoft-DS
+.IP
+\(bu 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to create a TCP listener based
+on an incoming request.
+.TP
+\fBUDP Ports\fR
+.IP
+\(bu 138/udp NetBIOS-DGM
+.IP
+\(bu 139/udp NetBIOS-SSN
+.IP
+\(bu 389/udp LDAP
+
 .SH "OPTIONS"
 .TP
 \fB\-d\fR, \fB\-\-debug\fR
-- 
cgit