[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Jeff McCashland (He/him) jeffm at microsoft.com
Thu Nov 10 23:12:19 UTC 2022

Hi Christof,

I'll ask about the 3 settings and let you know. The comment actually refers to the 'packetcapture1.pcap' network trace you provided for 'Case2-NormalQuery_ReferralEnabled'. 

The response in frame 1923 includes several referrals, but you can see in frame 1934 that the binding wasn't actually successful. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Christof Schmitt <cs at samba.org> 
Sent: Wednesday, November 9, 2022 1:21 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

On Wed, Nov 09, 2022 at 07:58:11PM +0000, Jeff McCashland (He/him) wrote:
> Hi Christof,
> Was the information below sufficient to address your question? 

Hi Jeff,

we are still trying to issue a successful query based on the provided input.

> Our LDAP team provided a clarification on the referral chasing workaround: 
> The following need to be true for that workaround to function
> 1)	The root of the search must be set to the Parent domains naming context.  E.g. Contoso.com
> 2)	The search must target a root domain DC
> 3)	The search scope must be set to SubTree
> 4)	Referral Chasing has to be turned on at the client layer.

This is all set correctly for the query from LDP.EXE.

> Additionally, we analyze the network trace you uploaded. Referral chasing actually provided a list of referrals, but a failed binding blocked the operation. Here is feedback from our devs:

I assume that this comment refers to the internal processing on the DC?

> 1.	Not using SASL/Kerberos
> 2.	Not using signing and encryption
> 3.	Attempting Simple Bind on cleart-text LDAP port rather than using TLS

Do all of these need to be set?



More information about the cifs-protocol mailing list