[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

[Jeff McCashland (He/him)]

Hi Christof,

Did the information below help at all? Using the LDP from Windows should work, have you tried that to compare the network traces? 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Thursday, November 10, 2022 3:30 PM
To: Christof Schmitt <cs at samba.org>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Hi Christof,

In regards to the 3 settings: 
> 1.	Not using SASL/Kerberos
> 2.	Not using signing and encryption
> 3.	Attempting Simple Bind on clear-text LDAP port rather than using TLS

1 and 2 go together, or you can use 3. 
LDAP over TLS will allow simple bind.
All 3 together can also be used.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Thursday, November 10, 2022 3:12 PM
To: Christof Schmitt <cs at samba.org>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Hi Christof,

I'll ask about the 3 settings and let you know. The comment actually refers to the 'packetcapture1.pcap' network trace you provided for 'Case2-NormalQuery_ReferralEnabled'. 

The response in frame 1923 includes several referrals, but you can see in frame 1934 that the binding wasn't actually successful. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Christof Schmitt <cs at samba.org>
Sent: Wednesday, November 9, 2022 1:21 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

On Wed, Nov 09, 2022 at 07:58:11PM +0000, Jeff McCashland (He/him) wrote:
> Hi Christof,
> 
> Was the information below sufficient to address your question? 

Hi Jeff,

we are still trying to issue a successful query based on the provided input.

> Our LDAP team provided a clarification on the referral chasing workaround: 
> 
> The following need to be true for that workaround to function
> 1)	The root of the search must be set to the Parent domains naming context.  E.g. Contoso.com
> 2)	The search must target a root domain DC
> 3)	The search scope must be set to SubTree
> 4)	Referral Chasing has to be turned on at the client layer.

This is all set correctly for the query from LDP.EXE.

> Additionally, we analyze the network trace you uploaded. Referral chasing actually provided a list of referrals, but a failed binding blocked the operation. Here is feedback from our devs:

I assume that this comment refers to the internal processing on the DC?

> 1.	Not using SASL/Kerberos
> 2.	Not using signing and encryption
> 3.	Attempting Simple Bind on cleart-text LDAP port rather than using TLS

Do all of these need to be set?

Regards,

Christof