ADV190023 | LDAP channel binding support
Isaac Boukris
iboukris at gmail.com
Wed Feb 26 18:54:45 UTC 2020
On Wed, Feb 26, 2020 at 3:57 PM Isaac Boukris <iboukris at gmail.com> wrote:
>
> On Wed, Feb 26, 2020 at 3:39 PM Stefan Metzmacher <metze at samba.org> wrote:
> >
> > Am 26.02.20 um 15:21 schrieb Isaac Boukris via samba-technical:
>
> > So for NTLMSSP the presence of MsvChannelBindings means strict checking
> > of the provided channel bindings, even if 16 zero bytes are send.
> >
> > For kerberos only AD-AP-OPTIONS means strict checking and not ignoring
> > 16 zeros.
>
> So they are the same flag I guess.
Oh i misread you, they slightly differ then.
As about the net-ads / ldapsearch failure, this is the error:
[2020/02/26 19:18:16.627426, 1]
../../source4/auth/gensec/gensec_gssapi.c:806(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Incorrect channel
bindings were supplied: Success
Although they send the same bindings...
ldapsearch - fails:
authenticator
authenticator-vno: 5
crealm: SMB.NET
cname
cksum
cksumtype: cKSUMTYPE-GSSAPI (32771)
checksum: 100000009e41a51ed7c90b3597bc7217c4d3c41e3a010000
Length: 16
Bnd: 9e41a51ed7c90b3597bc7217c4d3c41e
.... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE
.... .... .... .... .... .... ..1. .... = Integ: Integrity
protection (signing) may be invoked
.... .... .... .... .... .... ...1 .... = Conf:
Confidentiality (sealing) may be invoked
.... .... .... .... .... .... .... 1... = Sequence: Enable
Out-of-sequence detection for sign or sealed messages
.... .... .... .... .... .... .... .0.. = Replay: Do NOT
enable replay protection
.... .... .... .... .... .... .... ..1. = Mutual: Request that
remote peer authenticates itself
.... .... .... .... .... .... .... ...0 = Deleg: Do NOT delegate
cusec: 721923
ctime: 2020-02-26 18:43:22 (UTC)
subkey
seq-number: 840038277
Windows client - success:
authenticator
authenticator-vno: 5
crealm: SMB.NET
cname
cksum
cksumtype: cKSUMTYPE-GSSAPI (32771)
checksum: 100000009e41a51ed7c90b3597bc7217c4d3c41e02400000
Length: 16
Bnd: 9e41a51ed7c90b3597bc7217c4d3c41e
.... .... .... .... ...0 .... .... .... = DCE-style: Not using DCE-STYLE
.... .... .... .... .... .... ..0. .... = Integ: Do NOT use
integrity protection
.... .... .... .... .... .... ...0 .... = Conf: Do NOT use
Confidentiality (sealing)
.... .... .... .... .... .... .... 0... = Sequence: Do NOT
enable out-of-sequence detection
.... .... .... .... .... .... .... .0.. = Replay: Do NOT
enable replay protection
.... .... .... .... .... .... .... ..1. = Mutual: Request that
remote peer authenticates itself
.... .... .... .... .... .... .... ...0 = Deleg: Do NOT delegate
cusec: 73
ctime: 2020-02-26 18:24:27 (UTC)
subkey
seq-number: 2072188652
authorization-data: 1 item
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data:
3081a9303fa0040202008da137043530333031a003020100a12a04280000000000300000…
AuthorizationData item
ad-type: AD-TOKEN-RESTRICTIONS (141)
ad-data:
30333031a003020100a12a04280000000000300000f450fe871880d38a409147a4f8e2d7…
restriction-type: 0
restriction:
0000000000300000f450fe871880d38a409147a4f8e2d79a2107498eaab6449f374a2ec1…
AuthorizationData item
ad-type: AD-LOCAL (142)
ad-data: b0b55b71c9010000876ec90000000000
AuthorizationData item
ad-type: AD-AP-OPTIONS (143)
ad-data: 00400000
AD-AP-Options: 0x00004000, ChannelBindings
.... .... .... .... .1.. .... .... .... =
ChannelBindings: Set
AuthorizationData item
ad-type: AD-TARGET-PRINCIPAL (144)
ad-data:
6c006400610070002f007300640063002e0073006d0062002e006e006500740040005300…
Target Principal: ldap/sdc.smb.net at SMB.NET
More information about the samba-technical
mailing list