[Samba] LDAP signing and channel binding

Alexey A Nikitin nikitin at amazon.com
Wed Jan 29 00:38:43 UTC 2020

On Tuesday, 28 January 2020 15:57:47 PST Andrew Bartlett wrote:
> On Tue, 2020-01-28 at 15:24 -0800, Alexey A Nikitin via samba wrote:
> > I'm having hard time finding any definitive information on whether
> > Winbind supports LDAP signing (I assume 'yes') and channel binding.
> > I read 
> > https://wiki.samba.org/index.php/Samba_Security_Documentation#Special_dangers_of_NTLMSSP_and_Kerberos_over_TLS
> > to mean 'no' for channel binding, unless that documentation is
> > outdated or I misunderstand it.
> Correct.  We don't support channel binding in our client or server. 
> While we avoid this combination where possible, we would gladly accept
> funding to add it client and server (DC) side for the the cases where
> (per below) it is forced.
So considering Microsoft is planning to release a patch in March 2020 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023) that would force signing and channel binding for LDAP, Samba/Winbind developers seem to be rather calm about it. I admit I'm still learning about AD DS (as well as Winbind), so please correct me if my understanding is wrong - the above mentioned upcoming patch is generally not a concern because channel binding applies only to LDAP authentication over TLS, and there is usually still an option of authentication using Kerberos and SPNEGO instead of LDAPS. Is my understanding correct?

> > Can someone please point me to any (preferably official Samba
> > project) info in this regard that is a bit more clear than the linked
> > above?
> > I want to know whether Winbind fully supports both LDAP signing and
> > LDAP channel binding. Thank you!
> We make NTLMSSP or Kerberos secured LDAP connections and use the
> signing or sealing provided by those protocols to secure the
> connection.  This avoids the need for channel binding and certificate
> checking. 
> My understanding is that we don't make those connections over TLS
> unless ldap ssl ads is set, and the above describes why that would be a
> bad idea.
> I hope this clarifies things,
> Andrew Bartlett

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20200128/d7429ee2/signature.sig>

More information about the samba mailing list