ADV190023 | LDAP channel binding support

Stefan Metzmacher metze at
Tue Feb 18 16:47:51 UTC 2020

Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> Hi,
> I tested net-ads-search from a joined machine configured with "ldap
> ssl ads = yes", and it works once I also set "client ldap sasl
> wrapping = plain".
> However it doesn't work when I configure the DC to require
> channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.

I think that's expected, can you paste the error message?

Is it possible to reproduce with ldbsearch as well?

But do the default settings still work?

> Has anyone looked into channel-binding or has any idea what is needed
> to implement in samba (or upstream) for this to work?
> Is there other ldap client code in samba that would also be impacted?


> BTW, I noticed windows clients use both singing and sealing, should we
> consider changing the defaults of "client ldap sasl wrapping" to seal?

I looked at it a bit, see;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f

I think we need input from dochelp to answer 2 questions:
1. which kind of channel bindings are expected/used by windows?
   I assume tls-server-end-point. I guess MS-ADTS would be the place
   to define these details for ldaps.
2. how is the ChannelBindingsUnhashed blob constructed for


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list