[Samba] LDAP channel binding and LDAP signing?
abartlet at samba.org
Wed Jan 15 20:22:00 UTC 2020
Samba has, since the big 'badlock' release, defaults to refusing
plaintext, unsigned LDAP and also refusing to put Kerberos or NTLM over
This is controlled by "ldap server require strong auth"
Samba does not implement channel bindings (patches or funding welcome)
which is why we don't allow SASL (NTLM/Kerberos) over TLS, we strongly
recommend relying on the NTLM or Kerberos layer for that security, it
provides good mutual authentication without needing to check
certificates against a private CA.
Also, at the time the the badlock patch was done no known client use it
for LDAP, the feature originally came from HTTP Negotiate.
So, in short, Samba (Metze gets the credit) realised this was a bad
thing in 2016 (and yes, we shared our thoughts then). I'm glad
Microsoft has since then come to the same conclusion.
What will be a problem, as I read it, is winbindd if 'ldap ssl ads =
yes' is set but and ldbsearch (against ldaps:// URLS, when not using a
I trust this clarifies things,
On Wed, 2020-01-15 at 11:22 +0000, A. James Lewis via samba wrote:
> I found this in the samba security manual, but it could be interpreted
> to mean that the feature isn't implemented, and so winbind would stop
> working after Microsoft release the proposed patch! I hope someone can
> On 15/01/2020 00:22, A. James Lewis via samba wrote:
> > With Microsoft talking about AD changes in upcoming patches, I'm
> > wondering if someone on this list has any insight into whether this
> > will impact Samba(winbind).... and/or what version of Samba would be
> > required to ensure continued operation if so?
> > Home someone can shed some light!
> > https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
> ค. ﻝค๓єร ɭєฬเร (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why cement works."
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba