ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at
Tue Feb 25 20:17:39 UTC 2020

Hi metze

On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at> wrote:
> Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> >
> > I tested net-ads-search from a joined machine configured with "ldap
> > ssl ads = yes", and it works once I also set "client ldap sasl
> > wrapping = plain".
> >
> > However it doesn't work when I configure the DC to require
> > channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
> I looked at it a bit, see

FYI, I got net-ads working against AD server by adding some logic in
source3, look:

However the fixed clients aren't working against samba server yet,
unless require-strong-auth is set to "no", while non-fixed clients
still work. I get this error (I also wonder how can I trigger the
source4 client code).

LD_LIBRARY_PATH=/usr/local/lib /usr/local/samba/bin/net ads
-U"administrator at SMB.NET" -d3 search cn=apache -d3
Connected to LDAP server
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/ with user[administrator] realm[SMB.NET]: Invalid
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ with
user[administrator] realm=[SMB.NET]: Invalid credentials
return code = -1

LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/ldapsearch -h -b dc=smb,dc=net cn=administrator -Y GSSAPI -N -ZZ -O
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: 8009030C: LdapErr: DSID-0C0904DC, comment:
AcceptSecurityContext error, data 52e, v1db1

More information about the samba-technical mailing list