ADV190023 | LDAP channel binding support

Simo Sorce simo at redhat.com
Mon Feb 24 13:35:16 UTC 2020 

On Sat, 2020-02-22 at 20:09 +0100, Isaac Boukris wrote:
> On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at samba.org> wrote:
> > Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> > > Has anyone looked into channel-binding or has any idea what is needed
> > > to implement in samba (or upstream) for this to work?
> > > Is there other ldap client code in samba that would also be impacted?
> > 
> > Yes.
> > 
> > > BTW, I noticed windows clients use both singing and sealing, should we
> > > consider changing the defaults of "client ldap sasl wrapping" to seal?
> > 
> > I looked at it a bit, see
> > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
> > 
> > I think we need input from dochelp to answer 2 questions:
> > 1. which kind of channel bindings are expected/used by windows?
> >    I assume tls-server-end-point. I guess MS-ADTS would be the place
> >    to define these details for ldaps.
> 
> I noticed more another reference to channel-bindings in MS-KILE, I
> think maybe KERB_AP_OPTIONS_CBT ad element is the way to tell the
> server to require CB when LdapEnforceChannelBinding is set to 1 only,
> needs testing.
> 
> 3.2.5.8 AP Exchange
> If ChannelBinding is set to TRUE, the client sends
> AD-AUTH-DATA-AP-OPTIONS data in an AD-IF-
> RELEVANT element ([RFC4120] section 5.2.6.1). The Authorization Data
> Type AD-AUTH-DATA-AP-
> OPTIONS has an ad-type of 143 and ad-data of KERB_AP_OPTIONS_CBT
> (0x4000). The presence of
> this element indicates that the client expects the applications
> running on it to include channel binding
> information ([RFC2743] section 1.1.6 and [RFC2744]) in AP requests
> whenever Kerberos
> authentication takes place over an "outer channel" such as TLS.
> Channel binding is provided using the
> ChannelBinding variable specified in section 3.2.1.
> 
> 3.4.5
> If the ApplicationRequiresCBT parameter (section 3.4.1) is set to
> TRUE, the server, if so configured,
> SHOULD<67> return GSS_S_BAD_BINDINGS whenever the AP exchange request
> message contains
> an all-zero channel binding value and does not contain the
> AD-IF-RELEVANT element ([RFC4120]
> section 5.2.6.1) KERB_AP_OPTIONS_CBT.

Very interesting, we should add support to decode this AD in MIT krb5
and exposes it via naming attributes or context options, whatever makes
the most sense.

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

More information about the samba-technical mailing list