ADV190023 | LDAP channel binding support
simo at redhat.com
Mon Feb 24 13:35:16 UTC 2020
On Sat, 2020-02-22 at 20:09 +0100, Isaac Boukris wrote:
> On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at samba.org> wrote:
> > Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> > > Has anyone looked into channel-binding or has any idea what is needed
> > > to implement in samba (or upstream) for this to work?
> > > Is there other ldap client code in samba that would also be impacted?
> > Yes.
> > > BTW, I noticed windows clients use both singing and sealing, should we
> > > consider changing the defaults of "client ldap sasl wrapping" to seal?
> > I looked at it a bit, see
> > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
> > I think we need input from dochelp to answer 2 questions:
> > 1. which kind of channel bindings are expected/used by windows?
> > I assume tls-server-end-point. I guess MS-ADTS would be the place
> > to define these details for ldaps.
> I noticed more another reference to channel-bindings in MS-KILE, I
> think maybe KERB_AP_OPTIONS_CBT ad element is the way to tell the
> server to require CB when LdapEnforceChannelBinding is set to 1 only,
> needs testing.
> 184.108.40.206 AP Exchange
> If ChannelBinding is set to TRUE, the client sends
> AD-AUTH-DATA-AP-OPTIONS data in an AD-IF-
> RELEVANT element ([RFC4120] section 220.127.116.11). The Authorization Data
> Type AD-AUTH-DATA-AP-
> OPTIONS has an ad-type of 143 and ad-data of KERB_AP_OPTIONS_CBT
> (0x4000). The presence of
> this element indicates that the client expects the applications
> running on it to include channel binding
> information ([RFC2743] section 1.1.6 and [RFC2744]) in AP requests
> whenever Kerberos
> authentication takes place over an "outer channel" such as TLS.
> Channel binding is provided using the
> ChannelBinding variable specified in section 3.2.1.
> If the ApplicationRequiresCBT parameter (section 3.4.1) is set to
> TRUE, the server, if so configured,
> SHOULD<67> return GSS_S_BAD_BINDINGS whenever the AP exchange request
> message contains
> an all-zero channel binding value and does not contain the
> AD-IF-RELEVANT element ([RFC4120]
> section 18.104.22.168) KERB_AP_OPTIONS_CBT.
Very interesting, we should add support to decode this AD in MIT krb5
and exposes it via naming attributes or context options, whatever makes
the most sense.
RHEL Crypto Team
Red Hat, Inc
More information about the samba-technical