[Samba] LDAP signing and channel binding

Alexey A Nikitin nikitin at amazon.com
Fri Jan 31 20:33:40 UTC 2020


Thank you for the RFC reference, that actually helps me a great deal to understand what's going on there.


On Friday, 31 January 2020 11:35:42 PST Björn JACKE via samba-technical wrote:
> On 2020-01-29 at 14:01 +1300 Andrew Bartlett via samba sent off:
> > On Tue, 2020-01-28 at 16:38 -0800, Alexey A Nikitin wrote:
> > > On Tuesday, 28 January 2020 15:57:47 PST Andrew Bartlett wrote:
> > > > On Tue, 2020-01-28 at 15:24 -0800, Alexey A Nikitin via samba
> > > > wrote:
> > > > > I'm having hard time finding any definitive information on
> > > > > whether
> > > > > Winbind supports LDAP signing (I assume 'yes') and channel
> > > > > binding.
> > > > > I read 
> > > > > 
> > https://wiki.samba.org/index.php/Samba_Security_Documentation#Special_dangers_of_NTLMSSP_and_Kerberos_over_TLS
> > > > > to mean 'no' for channel binding, unless that documentation is
> > > > > outdated or I misunderstand it.
> > > > 
> > > > Correct.  We don't support channel binding in our client or
> > > > server. 
> > > > While we avoid this combination where possible, we would gladly
> > > > accept
> > > > funding to add it client and server (DC) side for the the cases
> > > > where
> > > > (per below) it is forced.
> > > > 
> > > 
> > > So considering Microsoft is planning to release a patch in March 2020
> > > (
> > > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
> > > ) that would force signing and channel binding for LDAP,
> > > Samba/Winbind developers seem to be rather calm about it. I admit I'm
> > > still learning about AD DS (as well as Winbind), so please correct me
> > > if my understanding is wrong - the above mentioned upcoming patch is
> > > generally not a concern because channel binding applies only to LDAP
> > > authentication over TLS, and there is usually still an option of
> > > authentication using Kerberos and SPNEGO instead of LDAPS. Is my
> > > understanding correct?
> > 
> > In short, we hope so.  It would still be great if this could be
> > developed, we know that some sites do enforce the use of TLS for
> > various reasons.
> > 
> > Also, even with the warnings, the Samba development community is small
> > and is funded significantly by customer needs/priorities.  So it can
> > happen that even with warnings such as these it needs a customer to
> > jump up and down before someone is able to put in the time.
> > 
> > A fix for this in Samba (for the winbind side) won't be trivial, we
> > would need to read the SSL session ID from inside OpenLDAP's use of
> > OpenSSL.  The Samba AD DC may be easier to patch, as we control the
> > stack down to GnuTLS is that case.
> 
> the LdapEnforceChannelBinding from ADV190023 is obviously for enforcing the
> standarized TLS extension for Channel Bindings, see RFC5929. And I
> just saw that GnuTLS supports that since 2.11.4 already.
> 
> For our client site it looks like it's time to move away from openldap to tldap
> finally to get control over the TLS layer. Has someone already started to work
> out getting tldap for our client side?
> 
> Björn
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200131/3247b753/signature.sig>


More information about the samba-technical mailing list