ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at gmail.com
Sat Feb 22 19:09:57 UTC 2020


On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at samba.org> wrote:
>
> Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> >
> > Has anyone looked into channel-binding or has any idea what is needed
> > to implement in samba (or upstream) for this to work?
> > Is there other ldap client code in samba that would also be impacted?
>
> Yes.
>
> > BTW, I noticed windows clients use both singing and sealing, should we
> > consider changing the defaults of "client ldap sasl wrapping" to seal?
>
> I looked at it a bit, see
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
>
> I think we need input from dochelp to answer 2 questions:
> 1. which kind of channel bindings are expected/used by windows?
>    I assume tls-server-end-point. I guess MS-ADTS would be the place
>    to define these details for ldaps.

I noticed more another reference to channel-bindings in MS-KILE, I
think maybe KERB_AP_OPTIONS_CBT ad element is the way to tell the
server to require CB when LdapEnforceChannelBinding is set to 1 only,
needs testing.

3.2.5.8 AP Exchange
If ChannelBinding is set to TRUE, the client sends
AD-AUTH-DATA-AP-OPTIONS data in an AD-IF-
RELEVANT element ([RFC4120] section 5.2.6.1). The Authorization Data
Type AD-AUTH-DATA-AP-
OPTIONS has an ad-type of 143 and ad-data of KERB_AP_OPTIONS_CBT
(0x4000). The presence of
this element indicates that the client expects the applications
running on it to include channel binding
information ([RFC2743] section 1.1.6 and [RFC2744]) in AP requests
whenever Kerberos
authentication takes place over an "outer channel" such as TLS.
Channel binding is provided using the
ChannelBinding variable specified in section 3.2.1.

3.4.5
If the ApplicationRequiresCBT parameter (section 3.4.1) is set to
TRUE, the server, if so configured,
SHOULD<67> return GSS_S_BAD_BINDINGS whenever the AP exchange request
message contains
an all-zero channel binding value and does not contain the
AD-IF-RELEVANT element ([RFC4120]
section 5.2.6.1) KERB_AP_OPTIONS_CBT.



More information about the samba-technical mailing list