Bug 15621 - s4:ldap_server: doesn't support tls channel bindings for sasl binds
Summary: s4:ldap_server: doesn't support tls channel bindings for sasl binds
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.20.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-05 13:48 UTC by Stefan Metzmacher
Modified: 2024-08-02 12:14 UTC (History)
2 users (show)

See Also:


Attachments
Patches for v4-20-test (121.13 KB, patch)
2024-06-19 08:53 UTC, Stefan Metzmacher
slow: review+
Details
Patches for v4-20-test (123.35 KB, text/plain)
2024-06-19 15:42 UTC, Stefan Metzmacher
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2024-04-05 13:48:01 UTC
Windows supports 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
LdapEnforceChannelBinding 0, 1 and 2.

But we don't support this, we just reject all sasl binds over tls...

I think it would be good to support and backport this to 4.20...
Comment 1 Samba QA Contact 2024-04-24 01:00:14 UTC
This bug was referenced in samba master:

8deba427e2697501f10e80a2ac0325a657635b92
68f6a461e1706f03007d3c5cfc68c71383b4ff28
5844ef27aa46cba3d343035ccd35b03525db9843
6688945fa03f4a448708f729083ea4a1cdd1ab88
ac4bca77039cbc31323fb10b3706ed959a0cbbcd
60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e
15fb8fcc7b98c3eba8eab79b227127b4b71b096c
3186cdce85a58451e9d5a05468029a13621128c3
604413b98a23f28288ec4af11023717a9239e0fe
b8b874ef5e40d266a54501ba4523c6af7032ca00
493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5
c200cf1b5f430f686b39df8513a6b7e3c592ed43
2f2af3aa8a0366e6502751415a08413bf28ba0cb
cbd7ce44121246167e0c8a6d905180d82df1a2ef
9b92cbacac11fb64cca2c4770cbdce789525b87a
546e39a6fa122e6a40d1e62724e1712882ce3bce
e912ba579b1469c78ca65345ec1fe8376c74272c
f1d34a430d227e685e2fe983b14c74136d9c8a8e
1831006b77749dda902ae4ced0a96e5f14d89adb
811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f
6c17e3d2800723bafebd1986ab59a9422c881f0b
7acb15a53c061344ffdbd58f9b2f01f8b0233f4e
6794cc476249452c415881396bce4df663fc4fba
065da873296c23ef3b9051fba39be097cfff60fa
e1c4caed10d775e23cd7dc294f2cccce76866894
Comment 2 Stefan Metzmacher 2024-06-19 08:53:10 UTC
Created attachment 18343 [details]
Patches for v4-20-test

The WHATSNEW patch needs to be integrated into the release flow...
Comment 3 Ralph Böhme 2024-06-19 09:13:49 UTC
Reassigning to Jule for inclusion in 4.20.
Comment 4 Jule Anger 2024-06-19 09:24:06 UTC
Pushed to autobuild-v4-20-test.
Comment 5 Jule Anger 2024-06-19 13:48:02 UTC
Autobuild failed several times for samba-ad-dc-4b/samba-ad-dc-ntvfs with:

Trust to domain SAMBA2008R2 established
[1(0)/183 at 50s] samba3.wbinfo_user_info(fl2008r2dc:local)
[2(13)/183 at 51s] samba3.blackbox.nt4_trusts(fl2008r2dc)
[3(15)/183 at 51s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=no_check"(fl2008r2dc:local)(fl2008r2dc:local)
[4(16)/183 at 51s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_only"(fl2008r2dc:local)(fl2008r2dc:local)
[5(17)/183 at 52s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_and_name_if_available"(fl2008r2dc:local)(fl2008r2dc:local)
[6(18)/183 at 52s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_and_name"(fl2008r2dc:local)(fl2008r2dc:local)
2024-06-19T12:24:45.776597+00:00 dc7.samba2008r2.example.com ldbsearch[911364]: TLS ../../source4/lib/tls/tls_tstream.c:1236 - no hostname available for verify_peer[ca_and_name] and peer_name[10.53.57.27]
Failed to connect to ldap URL 'ldaps://10.53.57.27' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://10.53.57.27' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://10.53.57.27 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
UNEXPECTED(failure): samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=Administrator@SAMBA2008R2.EXAMPLE.COM --password=locDCpass7 --option=tlsverifypeer=ca_and_name(fl2008r2dc:local).currentTime(fl2008r2dc:local)
REASON: Exception: Exception: No reason specified

Reassigning to Metze.
Comment 6 Stefan Metzmacher 2024-06-19 15:42:22 UTC
Created attachment 18349 [details]
Patches for v4-20-test

The backport of 60df2a09a4394d2b494224ad3d33314079e73066 was missing and caused
the failures
Comment 7 Ralph Böhme 2024-07-05 09:45:30 UTC
Reassigning to Jule for inclusion in 4.20.

Jule, please note the todo in patch 29/29:

[PATCH 29/29] TODO JULE-PLEASE-ADJUST-FOR-4-20 WHATSNEW: document
 ldap_server ldaps/tls channel binding support
Comment 8 Jule Anger 2024-07-09 09:58:57 UTC
Pushed to autobuild-v4-20-test.

I will add the WHATSNEW patch to the next release notes.
Comment 9 Samba QA Contact 2024-07-09 10:54:04 UTC
This bug was referenced in samba v4-20-test:

39ffaf056b268be05aca5f0ec0c7bb2dcbebacae
461f14259e269af5bbe858a3e6027856d644a109
52adc59a9263dd345a130ad1139c2757f9c95a1f
c117f54ceed81451d5d010f12828fd9b18551099
3e90d30bab90f5d762c224971a8029d0ca10369d
0c8fd43cc8347c566bbb0ac5f0cf021062482a06
1f0e6a447479d96abbfde9d8a2a57ea16c67de97
f1ca22f5577f26e640ddf22521f36eddbdb0283e
8989c3cd8ba34a4b92c3566306f0362302dd41e3
7a6ce2be813ea64a5871d49a019ca29a213bf8b9
254fa5041d6bc5bf037a3ce0a2dffff3ecff8879
b2f44b81751589fb3e32a7dd3899d41a80086424
6fec41bdb31dc9a0150ed0342eedc3354a100714
20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271
c86e8742373cfa022419de40427dba45239d0ae4
2668243de22135b8f605a59f16b5d23fddab3469
c41feb6c2a47860a38e971be8c0fb829dfb08706
1219bf3830120fa60c64a32ddc32899526510cd7
7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2
64d4c1cdcc3ba09d48680f8315716c195d199aca
7f2e3839f257d6c87d0b8f5e66ecd1a950964913
7c6c742106b14ab564bb24038266f53be9db915c
ac22551de3ec0d604ab431f738630ff25aa9062d
16b430e7401bb01cdaba7e39681d9d494228af03
Comment 10 Jule Anger 2024-07-09 11:02:47 UTC
Closing out bug report.

Thanks!
Comment 11 Samba QA Contact 2024-08-02 12:14:13 UTC
This bug was referenced in samba v4-20-stable (Release samba-4.20.3):

39ffaf056b268be05aca5f0ec0c7bb2dcbebacae
461f14259e269af5bbe858a3e6027856d644a109
52adc59a9263dd345a130ad1139c2757f9c95a1f
c117f54ceed81451d5d010f12828fd9b18551099
3e90d30bab90f5d762c224971a8029d0ca10369d
0c8fd43cc8347c566bbb0ac5f0cf021062482a06
1f0e6a447479d96abbfde9d8a2a57ea16c67de97
f1ca22f5577f26e640ddf22521f36eddbdb0283e
8989c3cd8ba34a4b92c3566306f0362302dd41e3
7a6ce2be813ea64a5871d49a019ca29a213bf8b9
254fa5041d6bc5bf037a3ce0a2dffff3ecff8879
b2f44b81751589fb3e32a7dd3899d41a80086424
6fec41bdb31dc9a0150ed0342eedc3354a100714
20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271
c86e8742373cfa022419de40427dba45239d0ae4
2668243de22135b8f605a59f16b5d23fddab3469
c41feb6c2a47860a38e971be8c0fb829dfb08706
1219bf3830120fa60c64a32ddc32899526510cd7
7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2
64d4c1cdcc3ba09d48680f8315716c195d199aca
7f2e3839f257d6c87d0b8f5e66ecd1a950964913
7c6c742106b14ab564bb24038266f53be9db915c
ac22551de3ec0d604ab431f738630ff25aa9062d
16b430e7401bb01cdaba7e39681d9d494228af03