ADV190023 | LDAP channel binding support

[Isaac Boukris]

Hi metze

On Tue, Feb 18, 2020 at 5:48 PM Stefan Metzmacher <metze at samba.org> wrote:
>
> Am 18.02.20 um 17:06 schrieb Isaac Boukris:
> >
> > I tested net-ads-search from a joined machine configured with "ldap
> > ssl ads = yes", and it works once I also set "client ldap sasl
> > wrapping = plain".
> >
> > However it doesn't work when I configure the DC to require
> > channel-binding with LdapEnforceChannelBinding=2 as per ADV190023.
>
> I looked at it a bit, see
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ac8fd11f1d4b9deb48d6c7942af0c83b52d69d7f

FYI, I got net-ads working against AD server by adding some logic in
source3, look:
https://gitlab.com/samba-team/devel/samba/-/commits/iboukris-metze-cbind

However the fixed clients aren't working against samba server yet,
unless require-strong-auth is set to "no", while non-fixed clients
still work. I get this error (I also wonder how can I trigger the
source4 client code).

LD_LIBRARY_PATH=/usr/local/lib /usr/local/samba/bin/net ads
-U"administrator at SMB.NET" -d3 search cn=apache -d3
...
Connected to LDAP server sdc.smb.net
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/sdc.smb.net with user[administrator] realm[SMB.NET]: Invalid
credentials
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/sdc.smb.net with
user[administrator] realm=[SMB.NET]: Invalid credentials
return code = -1

And:
LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/ldapsearch -h
sdc.smb.net -b dc=smb,dc=net cn=administrator -Y GSSAPI -N -ZZ -O
maxssf=0
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: 8009030C: LdapErr: DSID-0C0904DC, comment:
AcceptSecurityContext error, data 52e, v1db1