[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Jeff McCashland (He/him) jeffm at microsoft.com
Fri Nov 18 16:43:48 UTC 2022

Hi Andrew,

The response from our LDAP team is:
Referral chasing is entirely client driven, it is not related to TLS, SASL, Delegation or other.  The LDAP server gives the client a referral to another Naming Context that is a child of the Subtree search that was just performed.  It is entirely up to the client what to do with that information and if it so chooses, it would establish a new connection and new Bind (with whichever auth method it chooses) to one of the DCs that host the referred naming context.

I hope that helps!

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=02%7C01%7Cjeffm%40microsoft.com%7C92c4c7bb8c6d4412e78108d80d79f45f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637274164726698458&sdata=KtEL7V58Q7rscYvr9cPik%2FmYKZIv0rh3E3kBdGywwwI%3D&reserved=0> | Extension 1138300

From: Andrew Bartlett <abartlet at samba.org>
Sent: Tuesday, November 15, 2022 11:44 AM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Christof Schmitt <cs at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

On Tue, 2022-11-15 at 18:50 +0000, Jeff McCashland (He/him) wrote:

1.    Not using SASL/Kerberos

2.    Not using signing and encryption

3.    Attempting Simple Bind on cleart-text LDAP port rather than using TLS

Do all of these need to be set?

Following up on this, so given that Samba clients work hard to use Kerberos with SASL encryption (and not TLS due to issues around channel binding) that this feature won't work?

Is it the case that on Windows this is a simple forwarding of the simple bind DN and cleartext password from one server to another, but that advanced techniques like S4U2Proxy are not used?

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C0ca71cdb73334e0d836808dac741cf11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638041382724992818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=89Au16OKk9Edo%2B1gROP43LLBCUQ4GaGMbMgeN8triJw%3D&reserved=0>
Samba Team Member (since 2001) https://samba.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C0ca71cdb73334e0d836808dac741cf11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638041382724992818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xgEbYkWReiBrQolYEWRv8qwA9l3hUp8Ska9M2FwZ8Hk%3D&reserved=0>
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C0ca71cdb73334e0d836808dac741cf11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638041382724992818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=haEIb2XBnp401SmNQedAj1PcUEmfN%2FADjD2SpNWTxKw%3D&reserved=0>

Samba Development and Support, Catalyst IT - Expert Open Source Solutions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221118/1615a73d/attachment.htm>

More information about the cifs-protocol mailing list