Windows supports HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ LdapEnforceChannelBinding 0, 1 and 2. But we don't support this, we just reject all sasl binds over tls... I think it would be good to support and backport this to 4.20...
This bug was referenced in samba master: 8deba427e2697501f10e80a2ac0325a657635b92 68f6a461e1706f03007d3c5cfc68c71383b4ff28 5844ef27aa46cba3d343035ccd35b03525db9843 6688945fa03f4a448708f729083ea4a1cdd1ab88 ac4bca77039cbc31323fb10b3706ed959a0cbbcd 60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e 15fb8fcc7b98c3eba8eab79b227127b4b71b096c 3186cdce85a58451e9d5a05468029a13621128c3 604413b98a23f28288ec4af11023717a9239e0fe b8b874ef5e40d266a54501ba4523c6af7032ca00 493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5 c200cf1b5f430f686b39df8513a6b7e3c592ed43 2f2af3aa8a0366e6502751415a08413bf28ba0cb cbd7ce44121246167e0c8a6d905180d82df1a2ef 9b92cbacac11fb64cca2c4770cbdce789525b87a 546e39a6fa122e6a40d1e62724e1712882ce3bce e912ba579b1469c78ca65345ec1fe8376c74272c f1d34a430d227e685e2fe983b14c74136d9c8a8e 1831006b77749dda902ae4ced0a96e5f14d89adb 811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f 6c17e3d2800723bafebd1986ab59a9422c881f0b 7acb15a53c061344ffdbd58f9b2f01f8b0233f4e 6794cc476249452c415881396bce4df663fc4fba 065da873296c23ef3b9051fba39be097cfff60fa e1c4caed10d775e23cd7dc294f2cccce76866894
Created attachment 18343 [details] Patches for v4-20-test The WHATSNEW patch needs to be integrated into the release flow...
Reassigning to Jule for inclusion in 4.20.
Pushed to autobuild-v4-20-test.
Autobuild failed several times for samba-ad-dc-4b/samba-ad-dc-ntvfs with: Trust to domain SAMBA2008R2 established [1(0)/183 at 50s] samba3.wbinfo_user_info(fl2008r2dc:local) [2(13)/183 at 51s] samba3.blackbox.nt4_trusts(fl2008r2dc) [3(15)/183 at 51s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=no_check"(fl2008r2dc:local)(fl2008r2dc:local) [4(16)/183 at 51s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_only"(fl2008r2dc:local)(fl2008r2dc:local) [5(17)/183 at 52s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_and_name_if_available"(fl2008r2dc:local)(fl2008r2dc:local) [6(18)/183 at 52s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_and_name"(fl2008r2dc:local)(fl2008r2dc:local) 2024-06-19T12:24:45.776597+00:00 dc7.samba2008r2.example.com ldbsearch[911364]: TLS ../../source4/lib/tls/tls_tstream.c:1236 - no hostname available for verify_peer[ca_and_name] and peer_name[10.53.57.27] Failed to connect to ldap URL 'ldaps://10.53.57.27' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldaps://10.53.57.27' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to ldaps://10.53.57.27 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER UNEXPECTED(failure): samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=Administrator@SAMBA2008R2.EXAMPLE.COM --password=locDCpass7 --option=tlsverifypeer=ca_and_name(fl2008r2dc:local).currentTime(fl2008r2dc:local) REASON: Exception: Exception: No reason specified Reassigning to Metze.
Created attachment 18349 [details] Patches for v4-20-test The backport of 60df2a09a4394d2b494224ad3d33314079e73066 was missing and caused the failures
Reassigning to Jule for inclusion in 4.20. Jule, please note the todo in patch 29/29: [PATCH 29/29] TODO JULE-PLEASE-ADJUST-FOR-4-20 WHATSNEW: document ldap_server ldaps/tls channel binding support
Pushed to autobuild-v4-20-test. I will add the WHATSNEW patch to the next release notes.
This bug was referenced in samba v4-20-test: 39ffaf056b268be05aca5f0ec0c7bb2dcbebacae 461f14259e269af5bbe858a3e6027856d644a109 52adc59a9263dd345a130ad1139c2757f9c95a1f c117f54ceed81451d5d010f12828fd9b18551099 3e90d30bab90f5d762c224971a8029d0ca10369d 0c8fd43cc8347c566bbb0ac5f0cf021062482a06 1f0e6a447479d96abbfde9d8a2a57ea16c67de97 f1ca22f5577f26e640ddf22521f36eddbdb0283e 8989c3cd8ba34a4b92c3566306f0362302dd41e3 7a6ce2be813ea64a5871d49a019ca29a213bf8b9 254fa5041d6bc5bf037a3ce0a2dffff3ecff8879 b2f44b81751589fb3e32a7dd3899d41a80086424 6fec41bdb31dc9a0150ed0342eedc3354a100714 20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271 c86e8742373cfa022419de40427dba45239d0ae4 2668243de22135b8f605a59f16b5d23fddab3469 c41feb6c2a47860a38e971be8c0fb829dfb08706 1219bf3830120fa60c64a32ddc32899526510cd7 7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2 64d4c1cdcc3ba09d48680f8315716c195d199aca 7f2e3839f257d6c87d0b8f5e66ecd1a950964913 7c6c742106b14ab564bb24038266f53be9db915c ac22551de3ec0d604ab431f738630ff25aa9062d 16b430e7401bb01cdaba7e39681d9d494228af03
Closing out bug report. Thanks!
This bug was referenced in samba v4-20-stable (Release samba-4.20.3): 39ffaf056b268be05aca5f0ec0c7bb2dcbebacae 461f14259e269af5bbe858a3e6027856d644a109 52adc59a9263dd345a130ad1139c2757f9c95a1f c117f54ceed81451d5d010f12828fd9b18551099 3e90d30bab90f5d762c224971a8029d0ca10369d 0c8fd43cc8347c566bbb0ac5f0cf021062482a06 1f0e6a447479d96abbfde9d8a2a57ea16c67de97 f1ca22f5577f26e640ddf22521f36eddbdb0283e 8989c3cd8ba34a4b92c3566306f0362302dd41e3 7a6ce2be813ea64a5871d49a019ca29a213bf8b9 254fa5041d6bc5bf037a3ce0a2dffff3ecff8879 b2f44b81751589fb3e32a7dd3899d41a80086424 6fec41bdb31dc9a0150ed0342eedc3354a100714 20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271 c86e8742373cfa022419de40427dba45239d0ae4 2668243de22135b8f605a59f16b5d23fddab3469 c41feb6c2a47860a38e971be8c0fb829dfb08706 1219bf3830120fa60c64a32ddc32899526510cd7 7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2 64d4c1cdcc3ba09d48680f8315716c195d199aca 7f2e3839f257d6c87d0b8f5e66ecd1a950964913 7c6c742106b14ab564bb24038266f53be9db915c ac22551de3ec0d604ab431f738630ff25aa9062d 16b430e7401bb01cdaba7e39681d9d494228af03