Channel-binding support: part 1
Isaac Boukris
iboukris at gmail.com
Wed Jun 17 13:28:26 UTC 2020
Hi metze / all,
Following previous discussions and the wip at:
https://gitlab.com/samba-team/samba/-/merge_requests/1262
I think we still cannot allow SASL auth over TLS by default, even if
we start passing bindings when over TLS on both client and server
sides, as long as we don't have support in heimdal for
KERB_AP_OPTIONS_CBT and the GSS_C_CHANNEL_BOUND_FLAG options.
However, I think it will still be useful if we start to pass the
bindings as clients (and as servers when we can), without taking
advantage of it for the above purpose yet.
What we gain is to be able to connect to AD servers with
LdapEnforceChannelBinding=2, and later to samba servers that support
it.
I've updated the MR with patches in that direction, for that I added a
new smb.conf option similar to LdapEnforceChannelBinding, but I'm
unclear yet how this should look like.
Thoughts?
More information about the samba-technical
mailing list