[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Christof Schmitt cs at samba.org
Wed Nov 9 21:20:32 UTC 2022

On Wed, Nov 09, 2022 at 07:58:11PM +0000, Jeff McCashland (He/him) wrote:
> Hi Christof,
> Was the information below sufficient to address your question? 

Hi Jeff,

we are still trying to issue a successful query based on the provided

> Our LDAP team provided a clarification on the referral chasing workaround: 
> The following need to be true for that workaround to function
> 1)	The root of the search must be set to the Parent domains naming context.  E.g. Contoso.com
> 2)	The search must target a root domain DC
> 3)	The search scope must be set to SubTree
> 4)	Referral Chasing has to be turned on at the client layer.

This is all set correctly for the query from LDP.EXE.

> Additionally, we analyze the network trace you uploaded. Referral chasing actually provided a list of referrals, but a failed binding blocked the operation. Here is feedback from our devs:

I assume that this comment refers to the internal processing on the DC?

> 1.	Not using SASL/Kerberos
> 2.	Not using signing and encryption
> 3.	Attempting Simple Bind on cleart-text LDAP port rather than using TLS

Do all of these need to be set?



More information about the cifs-protocol mailing list