[Samba] LDAP channel binding and LDAP signing?

Andrew Bartlett abartlet at samba.org
Wed Jan 15 20:22:00 UTC 2020

Samba has, since the big 'badlock' release, defaults to refusing
plaintext, unsigned LDAP and also refusing to put Kerberos or NTLM over

This is controlled by "ldap server require strong auth"

Samba does not implement channel bindings (patches or funding welcome)
which is why we don't allow SASL (NTLM/Kerberos) over TLS, we strongly
recommend relying on the NTLM or Kerberos layer for that security, it
provides good mutual authentication without needing to check
certificates against a private CA.

Also, at the time the the badlock patch was done no known client use it
for LDAP, the feature originally came from HTTP Negotiate.

So, in short, Samba (Metze gets the credit) realised this was a bad
thing in 2016 (and yes, we shared our thoughts then). I'm glad
Microsoft has since then come to the same conclusion.

What will be a problem, as I read it, is winbindd if 'ldap ssl ads =
yes' is set but and ldbsearch (against ldaps:// URLS, when not using a
simple bind).  

I trust this clarifies things,

Andrew Bartlett

On Wed, 2020-01-15 at 11:22 +0000, A. James Lewis via samba wrote:
> I found this in the samba security manual, but it could be interpreted 
> to mean that the feature isn't implemented, and so winbind would stop 
> working after Microsoft release the proposed patch!  I hope someone can 
> clarify.
> On 15/01/2020 00:22, A. James Lewis via samba wrote:
> > With Microsoft talking about AD changes in upcoming patches, I'm 
> > wondering if someone on this list has any insight into whether this 
> > will impact Samba(winbind).... and/or what version of Samba would be 
> > required to ensure continued operation if so?
> > 
> > Home someone can shed some light!
> > 
> > https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows 
> > 
> > 
> -- 
> ค. ﻝค๓єร ɭєฬเร (james at fsck.co.uk)
> "Engineering does not require science. Science helps a lot but people
> built perfectly good brick walls long before they knew why cement works."
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list