[Samba] LDAP signing and channel binding
Björn JACKE
bj at SerNet.DE
Fri Jan 31 19:35:07 UTC 2020
On 2020-01-29 at 14:01 +1300 Andrew Bartlett via samba sent off:
> On Tue, 2020-01-28 at 16:38 -0800, Alexey A Nikitin wrote:
> > On Tuesday, 28 January 2020 15:57:47 PST Andrew Bartlett wrote:
> > > On Tue, 2020-01-28 at 15:24 -0800, Alexey A Nikitin via samba
> > > wrote:
> > > > I'm having hard time finding any definitive information on
> > > > whether
> > > > Winbind supports LDAP signing (I assume 'yes') and channel
> > > > binding.
> > > > I read
> > > >
> https://wiki.samba.org/index.php/Samba_Security_Documentation#Special_dangers_of_NTLMSSP_and_Kerberos_over_TLS
> > > > to mean 'no' for channel binding, unless that documentation is
> > > > outdated or I misunderstand it.
> > >
> > > Correct. We don't support channel binding in our client or
> > > server.
> > > While we avoid this combination where possible, we would gladly
> > > accept
> > > funding to add it client and server (DC) side for the the cases
> > > where
> > > (per below) it is forced.
> > >
> >
> > So considering Microsoft is planning to release a patch in March 2020
> > (
> > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
> > ) that would force signing and channel binding for LDAP,
> > Samba/Winbind developers seem to be rather calm about it. I admit I'm
> > still learning about AD DS (as well as Winbind), so please correct me
> > if my understanding is wrong - the above mentioned upcoming patch is
> > generally not a concern because channel binding applies only to LDAP
> > authentication over TLS, and there is usually still an option of
> > authentication using Kerberos and SPNEGO instead of LDAPS. Is my
> > understanding correct?
>
> In short, we hope so. It would still be great if this could be
> developed, we know that some sites do enforce the use of TLS for
> various reasons.
>
> Also, even with the warnings, the Samba development community is small
> and is funded significantly by customer needs/priorities. So it can
> happen that even with warnings such as these it needs a customer to
> jump up and down before someone is able to put in the time.
>
> A fix for this in Samba (for the winbind side) won't be trivial, we
> would need to read the SSL session ID from inside OpenLDAP's use of
> OpenSSL. The Samba AD DC may be easier to patch, as we control the
> stack down to GnuTLS is that case.
the LdapEnforceChannelBinding from ADV190023 is obviously for enforcing the
standarized TLS extension for Channel Bindings, see RFC5929. And I
just saw that GnuTLS supports that since 2.11.4 already.
For our client site it looks like it's time to move away from openldap to tldap
finally to get control over the TLS layer. Has someone already started to work
out getting tldap for our client side?
Björn
More information about the samba-technical
mailing list