[Samba] LDAP signing and channel binding
abartlet at samba.org
Tue Jan 28 23:56:48 UTC 2020
On Tue, 2020-01-28 at 15:24 -0800, Alexey A Nikitin via samba wrote:
> I'm having hard time finding any definitive information on whether
> Winbind supports LDAP signing (I assume 'yes') and channel binding.
> I read
> to mean 'no' for channel binding, unless that documentation is
> outdated or I misunderstand it.
Correct. We don't support channel binding in our client or server.
While we avoid this combination where possible, we would gladly accept
funding to add it client and server (DC) side for the the cases where
(per below) it is forced.
> Can someone please point me to any (preferably official Samba
> project) info in this regard that is a bit more clear than the linked
> I want to know whether Winbind fully supports both LDAP signing and
> LDAP channel binding. Thank you!
We make NTLMSSP or Kerberos secured LDAP connections and use the
signing or sealing provided by those protocols to secure the
connection. This avoids the need for channel binding and certificate
My understanding is that we don't make those connections over TLS
unless ldap ssl ads is set, and the above describes why that would be a
I hope this clarifies things,
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba