System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Winbind is preventing web connection to AV config portal.

 
SOLVED
Go to solution
Fred Abell
Occasional Advisor

Winbind is preventing web connection to AV config portal.

I have installed Virusscan (McAfee AV) for Linux on a RHEL 5.8 machine. Installation went without problems.

 

To run Virsuscan requires I connect to the machine via web-browser via https://machine:55443. I get a timeout error. I ran wireshark and saw a ICMP "Destination unreachable (Host administratively prohibited) " message when trying to connect.

 

I have Winbind installed, but have not yet hardend the machine. The computer requires AD credientials to log in, and I restrict users in an AD group with a line in /etc/security/pam_winbind.conf :

 

require_membership_of=testserver01A

 

If I comment out the above line, and restart, I get the same answer.

 

Should I be configuring something else to allow this connection to make?

2 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: Winbind is preventing web connection to AV config portal.

If you installed RHEL 5.8 with default settings, the system has an iptables firewall enabled by default.

 

You can use the "system-config-securitylevel" utility to add port 55443 to the list of allowed ports. By default, incoming connections are restricted to SSH only. The software packages included in the RHEL installation media *may* add their ports to the allowed list automatically, but third-party software like McAfee AV needs to have the required network ports added to the "allow" list by the sysadmin.

 

The rejection with the specific "host administratively prohibited" ICMP code makes it very likely the rejection is by iptables: if it was because the web GUI of the anti-virus software was not running, you would have received a TCP reset packet or a ICMP "Destination unreachable (port-unreachable)" instead.

 

I don't see how Winbind would be related to the access problem at all. A TCP connection does not include any usernames or passwords as TCP protocol options, so the server cannot make any decisions to reject the connection based on usernames at that point.

MK
Fred Abell
Occasional Advisor

Re: Winbind is preventing web connection to AV config portal.

Of course it was a simple solution. Thanks MK!