[cifs-protocol] LdapEnforceChannelBinding details
Stefan Metzmacher
metze at samba.org
Thu Sep 28 14:19:57 UTC 2023
Hi DocHelp,
I'm trying to connect to a server with LdapEnforceChannelBinding=2
and can't get it working.
MS-NLMP specifies ClientChannelBindingsUnhashed and ServerChannelBindingsUnhashed
as input from the application.
MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint"
channel bindings should be used.
Can you please document with examples values how
ServerChannelBindingsUnhashed is constructed.
I'm getting these 32 bytes from gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
[0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r..
And I'm also getting this when I manually copy the certificate blob
from the TLS1.2 Server Certificate message and do a sha256sum on it.
I tried the following already.
4-zero bytes for initiator_addrtype
4-zero bytes for initiator_address.length
4-zero bytes for acceptor_addrtype
4-zero bytes for acceptor_address.length
4 little endian bytes for '32' application_data.length
32 bytes for application_data.data
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 20 00 00 00 ...
[0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r..
And the resulting MD5 hash over all of this is:
[0000] 00 3D 9C 0F D6 63 38 B1 B0 F8 53 63 A8 0A C8 6D .=...c8. ..Sc...m
And I put this into the MTLMv2 exchange:
pair: struct AV_PAIR
AvId : MsvChannelBindings (0xA)
AvLen : 0x0010 (16)
Value : union ntlmssp_AvValue(case 0xA)
ChannelBindings : 003d9c0fd66338b1b0f85363a80ac86d
LDAP error 49 LDAP_INVALID_CREDENTIALS - <80090346: LdapErr: DSID-0C0905E2, comment: AcceptSecurityContext error, data 80090346, v3839>
80090346 is HRES_SEC_E_BAD_BINDINGS
Can you please clarify this?
Thanks!
metze
More information about the cifs-protocol
mailing list