ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at
Wed Feb 19 11:27:31 UTC 2020

On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at> wrote:
> Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> > Hi,
> >
> > I tested net-ads-search from a joined machine configured with "ldap
> > ssl ads = yes", and it works once I also set "client ldap sasl
> > wrapping = plain".
> >
> > However it doesn't work when I configure the DC to require
> > channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
> I think that's expected, can you paste the error message?
> Is it possible to reproduce with ldbsearch as well?
> But do the default settings still work?

To be clear samba default will work since it does not use TLS (also,
simple authentication over TLS is not impacted either).

> > Has anyone looked into channel-binding or has any idea what is needed
> > to implement in samba (or upstream) for this to work?
> > Is there other ldap client code in samba that would also be impacted?
> I looked at it a bit, see
> I think we need input from dochelp to answer 2 questions:
> 1. which kind of channel bindings are expected/used by windows?
>    I assume tls-server-end-point. I guess MS-ADTS would be the place
>    to define these details for ldaps.

This blog also suggests it's tls-server-end-point (about HTTP) :

More information about the samba-technical mailing list