[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Christof Schmitt
cs at samba.org
Wed Nov 9 21:20:32 UTC 2022
On Wed, Nov 09, 2022 at 07:58:11PM +0000, Jeff McCashland (He/him) wrote:
> Hi Christof,
>
> Was the information below sufficient to address your question?
Hi Jeff,
we are still trying to issue a successful query based on the provided
input.
> Our LDAP team provided a clarification on the referral chasing workaround:
>
> The following need to be true for that workaround to function
> 1) The root of the search must be set to the Parent domains naming context. E.g. Contoso.com
> 2) The search must target a root domain DC
> 3) The search scope must be set to SubTree
> 4) Referral Chasing has to be turned on at the client layer.
This is all set correctly for the query from LDP.EXE.
> Additionally, we analyze the network trace you uploaded. Referral chasing actually provided a list of referrals, but a failed binding blocked the operation. Here is feedback from our devs:
I assume that this comment refers to the internal processing on the DC?
> 1. Not using SASL/Kerberos
> 2. Not using signing and encryption
> 3. Attempting Simple Bind on cleart-text LDAP port rather than using TLS
Do all of these need to be set?
Regards,
Christof
More information about the cifs-protocol
mailing list