ADV190023 | LDAP channel binding support
Stefan Metzmacher
metze at samba.org
Wed Feb 26 14:39:19 UTC 2020
Am 26.02.20 um 15:21 schrieb Isaac Boukris via samba-technical:
> On Tue, Feb 25, 2020 at 9:17 PM Isaac Boukris <iboukris at gmail.com> wrote:
>>
>>> I looked at it a bit, see
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
>>
>> FYI, I got net-ads working against AD server by adding some logic in
>> source3, look:
>> https://gitlab.com/samba-team/devel/samba/-/commits/iboukris-metze-cbind
>>
>> However the fixed clients aren't working against samba server yet,
>> unless require-strong-auth is set to "no", while non-fixed clients
>> still work. I get this error (I also wonder how can I trigger the
>> source4 client code).
>
> Actually, Windows client seem to work fine against your source4 server
> code, even with require-strong-auth=yes. So I'm still missing
> something on the client side :(
Why? I guess the server just completely ignores the channel bindings.
What application on the Windows client uses ldaps?
Note that I fixed the channel binding checksum for NTLMSSP here:
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=e5afb9ff2aa23d43d0b968a3eca7ceffe1c8d606
With this commit where're able to pass the LdapEnforceChannelBinding=1
checks:
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ad59689961c860e38fb1d0e8c8996070faf77180
So for NTLMSSP the presence of MsvChannelBindings means strict checking
of the provided channel bindings, even if 16 zero bytes are send.
For kerberos only AD-AP-OPTIONS means strict checking and not ignoring
16 zeros.
And MsvAvTargetName is similar to AD-TARGET-PRINCIPAL.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200226/5d76464b/signature.sig>
More information about the samba-technical
mailing list