Andrew Suffield schrieb:
On Wed, Nov 29, 2006 at 04:43:17PM +0700, Fajar Priyanto wrote:
I understand that in order to allow samba to work, we need to allow several 
ports, such as tcp 445, tcp/udp 137,138,139.

But recently a friend of mine said that the only port needs to be opened is 
tcp 445? Is this true? 

What is the actual purpose of those 137:139 ports? In /etc/services it's said 
that they are netbios-ssn. But I'm not really sure the real meaning of it.

"Samba" (and "Windows File & Print") refers to a group of about six
different protocol variations. With each major release of Windows (and
OS/2 LanManager), Microsoft has reinvented it, because all their
previous attempts sucked. Different variations of these use different
combinations of ports. At least one of them is capable of operating
over port 445 alone.

A modern WinXP system can talk *all* of these. You have limited
control over which it uses, even in a purely WinXP network. The exact
details of how it decides which protocol to use are secret (if anybody
at Microsoft even knows - this is uncertain, the code is reportedly
complicated and undocumented), and the internet is rife with
inaccurate speculations on the subject being presented as fact. Do not
expect it to behave sanely. In theory, it should attempt to use both
port 445 and 139 and take whichever works. In practice, it varies,
especially on a desktop that's been in use for a few months and is
starting to show signs of bitrot.

Opening all the ports ensures that the firewall won't get in the way
of whatever the stupid thing decides to do. Individual sites may find
that they can get by with less, depending on configuration and the
phases of the moon.

this story is not completly true.
My experience in my customers networks is such:
WinXP clients and W2K SP4 Clients *can* use  port 445 only, *if* you take care
about your network configuration: servers need to be in an ADS in non-compatibility mode
(no NT4 anywhere), this is possible with W2K Server SP4 and W2K3 Server R1 and R2.
no NetBIOS name resolution, DNS only, this means no WINS-Server, no workgroup-access,
use domain-access only, no local file or printer sharing, server side shares only.
Like this, port 445 is "the modern way" to get windows machine to talk to each other.
BTW, this is the safest configuration of all,  if you then get Kerberos working in your
net, you are on the right track to more security even in wimdows networks.
BUT: samba is a different thing and like you already stated, the underlying (MS-) interna
are not documented in the public, it is impossible for samba to be completely like "the original".

Just my 2 cents