ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at
Tue Feb 18 17:09:52 UTC 2020

Hi metze

On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at> wrote:
> > I tested net-ads-search from a joined machine configured with "ldap
> > ssl ads = yes", and it works once I also set "client ldap sasl
> > wrapping = plain".
> >
> > However it doesn't work when I configure the DC to require
> > channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
> I think that's expected, can you paste the error message?

See also:

$ net ads -U"administrator at ACME.COM%Secret123" -d3 search cn=admin

Successfully contacted LDAP server
Connected to LDAP server adc.ACME.COM
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.
ads_sasl_spnego_bind: got OID=
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/ with user[administrator] realm[ACME.COM]: Invalid
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ with
user[administrator] realm=[ACME.COM]: Invalid credentials
return code = -1

> Is it possible to reproduce with ldbsearch as well?


$ ldapsearch -h -b dc=acme,dc=com cn=isaac -Y GSSAPI -O
maxssf=0 -ZZ
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: 80090346: LdapErr: DSID-0C090569, comment:
AcceptSecurityContext error, data 80090346, v4563

> But do the default settings still work?

For now yes, but that's about to change, if i understand correctly.

"A further future monthly update, anticipated for release the second
half of calendar year 2020, will enable LDAP signing and channel
binding on domain controllers configured with default values for those

> > Has anyone looked into channel-binding or has any idea what is needed
> > to implement in samba (or upstream) for this to work?
> > Is there other ldap client code in samba that would also be impacted?
> Yes.
> > BTW, I noticed windows clients use both singing and sealing, should we
> > consider changing the defaults of "client ldap sasl wrapping" to seal?

Notice the last question wasn't about channel-binding, but about
signing vs sealing (the GPO from the advisory only enforces signing

> I looked at it a bit, see

Thanks! I'll play with that.

I'm unclear about the implementation details but I think it would be
nice to have some kind of flag to both require channel-binding over
TLS and disable sasl-wrapping in that case.

> I think we need input from dochelp to answer 2 questions:
> 1. which kind of channel bindings are expected/used by windows?
>    I assume tls-server-end-point. I guess MS-ADTS would be the place
>    to define these details for ldaps.

I'll try to formulate a question to dochelp on this.

> 2. how is the ChannelBindingsUnhashed blob constructed for
> metze

More information about the samba-technical mailing list