The Samba-Bugzilla – Bug 11231
Active Directory Web Services (ADWS) should be supported
Last modified: 2018-11-27 07:29:36 UTC
Active Directory Web Services (ADWS) is a kind of SOAP interface (?) to AD listening on port 9389. It exists since W2k8r2. It's required for the Power Shell AD module to work for example.
The Samba AD server should support that also.
(In reply to Björn Jacke from comment #0)
Just a heads up that I'm currently investigating this and have a proof-of-concept of receiving the decoded SOAP queries as plain XML (to be used by the server).
(In reply to Garming Sam from comment #1)
Do you have the code somewhere?
Do you have example capture you're able to share?
My wireshark tree at
can dissect the first few layers including decrypting.
I'll post some more detail later, but I discovered a convenient set of Python libraries that someone wrote for a MiTM proxy (and inserted some GENSEC code myself):
Protocol stack for the brave:
MC-NMFTB (MC-NMF TCP binding protocol)
MC-NMF (.NET framing protocol)
MS-NNS (.NET NegotiateStream protocol)
MC-NBFX (.NET binary format)
MC-NBFS (.NET binary format for SOAP)
MC-NBFSE (.NET binary format extension for MC-NBFS for dictionary compression)
XML / SOAP (overview in MS-ADDM) belonging to one of the following:
- MS-WSDS (Directory extensions to WS-Enumeration)
- MS-WSPELD (LDAPv3 control support to WS-Transfer and WS-Enumeration)
- MS-WSTIM (Directory extensions to WS-Transfer)
- MS-ADCAP (Custom operations e.g. Change password)
WS-Transfer appears to implement stateless CRUD operations while WS-Enumeration has a stateful enumeration context for pulling.
While I was googling around, I also found:
I don't know if that's of any use to you or if you've seen it. One other thing I discovered is that you can dump the SOAP (more or less, you have to strip the outer XML wrapper and there's some additional internal threads it seems) by changing a config file on the ADWS server.
Successfully have AD Powershell commands accepting responses from our custom server. There's a lot of work to actually iron out all the details and actually polish the code, but Get-ADObject works on single objects and with a bit of fiddling with the server at runtime, we have Get-ADComputer successfully listing computers.
Will post PoC code soon - currently implements bits of WS-Transfer (GET), WS-Enumeration.
- Controls are ASN.1 encoded (and our Python bindings only handle string forms)
- Map the remaining LDAP attributes and investigate synthetic attributes
- Implementing Custom Actions
One other thing that isn't clear from the specification is how long the SOAP dictionary is meant to last for compression. It's also unclear how the client is meant to transition between endpoints and what the expectations are of the server.