[Samba] LDAP signing and channel binding

Andrew Bartlett abartlet at samba.org
Tue Jan 28 23:56:48 UTC 2020


On Tue, 2020-01-28 at 15:24 -0800, Alexey A Nikitin via samba wrote:
> I'm having hard time finding any definitive information on whether
> Winbind supports LDAP signing (I assume 'yes') and channel binding.
> I read 
> https://wiki.samba.org/index.php/Samba_Security_Documentation#Special_dangers_of_NTLMSSP_and_Kerberos_over_TLS
> to mean 'no' for channel binding, unless that documentation is
> outdated or I misunderstand it.

Correct.  We don't support channel binding in our client or server. 
While we avoid this combination where possible, we would gladly accept
funding to add it client and server (DC) side for the the cases where
(per below) it is forced.

> Can someone please point me to any (preferably official Samba
> project) info in this regard that is a bit more clear than the linked
> above?
> I want to know whether Winbind fully supports both LDAP signing and
> LDAP channel binding. Thank you!

We make NTLMSSP or Kerberos secured LDAP connections and use the
signing or sealing provided by those protocols to secure the
connection.  This avoids the need for channel binding and certificate
checking. 

My understanding is that we don't make those connections over TLS
unless ldap ssl ads is set, and the above describes why that would be a
bad idea.

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba








More information about the samba mailing list