[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Jeff McCashland (He/him)
jeffm at microsoft.com
Wed Nov 9 19:58:11 UTC 2022
Hi Christof,
Was the information below sufficient to address your question?
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Friday, November 4, 2022 9:58 AM
To: Christof Schmitt <cs at samba.org>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Hi Christof,
Our LDAP team provided a clarification on the referral chasing workaround:
The following need to be true for that workaround to function
1) The root of the search must be set to the Parent domains naming context. E.g. Contoso.com
2) The search must target a root domain DC
3) The search scope must be set to SubTree
4) Referral Chasing has to be turned on at the client layer.
Additionally, we analyze the network trace you uploaded. Referral chasing actually provided a list of referrals, but a failed binding blocked the operation. Here is feedback from our devs:
1. Not using SASL/Kerberos
2. Not using signing and encryption
3. Attempting Simple Bind on cleart-text LDAP port rather than using TLS
Please use ldp.exe to show that it works when using windows client and windows client LDAP stack. Also, we recommend against using simple bind with LDP.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Monday, October 31, 2022 11:50 AM
To: Christof Schmitt <cs at samba.org>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Hi Christof,
Thank you for the traces. I'll review these with our LDAP team and let you know what we find.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Christof Schmitt <cs at samba.org>
Sent: Monday, October 31, 2022 11:25 AM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
On Sat, Oct 29, 2022 at 12:59:28AM +0000, Jeff McCashland (He/him) wrote:
> Hi Christof,
>
> Please collect and upload LSASS TTT traces as before, so we can debug the issue with referral chasing enabled.
Hi Jeff,
new traces are uploaded. One is from a test with referral chasing disabled and querying the GC port 3268. The other one is from a test is with referral chasing enabled to the standard LDAP port 389. Both yield the same result, querying the group membership by SID does not return the group.
Please let me know if you need anything else.
Regards,
Christof
More information about the cifs-protocol
mailing list