[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Jeff McCashland (He/him)
jeffm at microsoft.com
Thu Nov 10 23:12:19 UTC 2022
I'll ask about the 3 settings and let you know. The comment actually refers to the 'packetcapture1.pcap' network trace you provided for 'Case2-NormalQuery_ReferralEnabled'.
The response in frame 1923 includes several referrals, but you can see in frame 1934 that the binding wasn't actually successful.
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
From: Christof Schmitt <cs at samba.org>
Sent: Wednesday, November 9, 2022 1:21 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
On Wed, Nov 09, 2022 at 07:58:11PM +0000, Jeff McCashland (He/him) wrote:
> Hi Christof,
> Was the information below sufficient to address your question?
we are still trying to issue a successful query based on the provided input.
> Our LDAP team provided a clarification on the referral chasing workaround:
> The following need to be true for that workaround to function
> 1) The root of the search must be set to the Parent domains naming context. E.g. Contoso.com
> 2) The search must target a root domain DC
> 3) The search scope must be set to SubTree
> 4) Referral Chasing has to be turned on at the client layer.
This is all set correctly for the query from LDP.EXE.
> Additionally, we analyze the network trace you uploaded. Referral chasing actually provided a list of referrals, but a failed binding blocked the operation. Here is feedback from our devs:
I assume that this comment refers to the internal processing on the DC?
> 1. Not using SASL/Kerberos
> 2. Not using signing and encryption
> 3. Attempting Simple Bind on cleart-text LDAP port rather than using TLS
Do all of these need to be set?
More information about the cifs-protocol