Channel-binding support: part 1

Isaac Boukris iboukris at
Wed Jun 17 13:28:26 UTC 2020

Hi metze / all,

Following previous discussions and the wip at:

I think we still cannot allow SASL auth over TLS by default, even if
we start passing bindings when over TLS on both client and server
sides, as long as we don't have support in heimdal for

However, I think it will still be useful if we start to pass the
bindings as clients (and as servers when we can), without taking
advantage of it for the above purpose yet.
What we gain is to be able to connect to AD servers with
LdapEnforceChannelBinding=2, and later to samba servers that support

I've updated the MR with patches in that direction, for that I added a
new smb.conf option similar to LdapEnforceChannelBinding, but I'm
unclear yet how this should look like.


More information about the samba-technical mailing list