ADV190023 | LDAP channel binding support

Isaac Boukris iboukris at gmail.com
Wed Feb 26 14:57:33 UTC 2020 

On Wed, Feb 26, 2020 at 3:39 PM Stefan Metzmacher <metze at samba.org> wrote:
>
> Am 26.02.20 um 15:21 schrieb Isaac Boukris via samba-technical:
> > On Tue, Feb 25, 2020 at 9:17 PM Isaac Boukris <iboukris at gmail.com> wrote:
> >>
> >>> I looked at it a bit, see
> >>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f
> >>
> >> FYI, I got net-ads working against AD server by adding some logic in
> >> source3, look:
> >> https://gitlab.com/samba-team/devel/samba/-/commits/iboukris-metze-cbind
> >>
> >> However the fixed clients aren't working against samba server yet,
> >> unless require-strong-auth is set to "no", while non-fixed clients
> >> still work. I get this error (I also wonder how can I trigger the
> >> source4 client code).
> >
> > Actually, Windows client seem to work fine against your source4 server
> > code, even with require-strong-auth=yes.  So I'm still missing
> > something on the client side :(
>
> Why? I guess the server just completely ignores the channel bindings.

I need to debug the server, but it fails the fixed net-ads and
ldapsearch which works against AD, and doesn't fail windows clients.
The only difference to my understanding, is that Windows client will
add the ad-elements, can that be the cause?

> What application on the Windows client uses ldaps?

Run "ldp.exe", it has everything.

> Note that I fixed the channel binding checksum for NTLMSSP here:
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=e5afb9ff2aa23d43d0b968a3eca7ceffe1c8d606
>
> With this commit where're able to pass the LdapEnforceChannelBinding=1
> checks:
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ad59689961c860e38fb1d0e8c8996070faf77180

I'll keep rebasing on metze/master-auth branch.

> So for NTLMSSP the presence of MsvChannelBindings means strict checking
> of the provided channel bindings, even if 16 zero bytes are send.
>
> For kerberos only AD-AP-OPTIONS means strict checking and not ignoring
> 16 zeros.

So they are the same flag I guess.

> And MsvAvTargetName is similar to AD-TARGET-PRINCIPAL.

Thanks!

More information about the samba-technical mailing list