[Samba] LDAP signing and channel binding

Andrew Bartlett abartlet at samba.org
Wed Jan 29 01:01:03 UTC 2020 

On Tue, 2020-01-28 at 16:38 -0800, Alexey A Nikitin wrote:
> On Tuesday, 28 January 2020 15:57:47 PST Andrew Bartlett wrote:
> > On Tue, 2020-01-28 at 15:24 -0800, Alexey A Nikitin via samba
> > wrote:
> > > I'm having hard time finding any definitive information on
> > > whether
> > > Winbind supports LDAP signing (I assume 'yes') and channel
> > > binding.
> > > I read 
> > > 
https://wiki.samba.org/index.php/Samba_Security_Documentation#Special_dangers_of_NTLMSSP_and_Kerberos_over_TLS
> > > to mean 'no' for channel binding, unless that documentation is
> > > outdated or I misunderstand it.
> > 
> > Correct.  We don't support channel binding in our client or
> > server. 
> > While we avoid this combination where possible, we would gladly
> > accept
> > funding to add it client and server (DC) side for the the cases
> > where
> > (per below) it is forced.
> > 
> 
> So considering Microsoft is planning to release a patch in March 2020
> (
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
> ) that would force signing and channel binding for LDAP,
> Samba/Winbind developers seem to be rather calm about it. I admit I'm
> still learning about AD DS (as well as Winbind), so please correct me
> if my understanding is wrong - the above mentioned upcoming patch is
> generally not a concern because channel binding applies only to LDAP
> authentication over TLS, and there is usually still an option of
> authentication using Kerberos and SPNEGO instead of LDAPS. Is my
> understanding correct?

In short, we hope so.  It would still be great if this could be
developed, we know that some sites do enforce the use of TLS for
various reasons.

Also, even with the warnings, the Samba development community is small
and is funded significantly by customer needs/priorities.  So it can
happen that even with warnings such as these it needs a customer to
jump up and down before someone is able to put in the time.

A fix for this in Samba (for the winbind side) won't be trivial, we
would need to read the SSL session ID from inside OpenLDAP's use of
OpenSSL.  The Samba AD DC may be easier to patch, as we control the
stack down to GnuTLS is that case.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list