Bug 15621 - s4:ldap_server: doesn't support tls channel bindings for sasl binds
Summary: s4:ldap_server: doesn't support tls channel bindings for sasl binds
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.20.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-05 13:48 UTC by Stefan Metzmacher
Modified: 2024-08-02 12:14 UTC (History)
2 users (show)

See Also:

Attachments
Patches for v4-20-test (121.13 KB, patch)
2024-06-19 08:53 UTC, Stefan Metzmacher 		slow: review+
Details
Patches for v4-20-test (123.35 KB, text/plain)
2024-06-19 15:42 UTC, Stefan Metzmacher 		slow: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2024-04-05 13:48:01 UTC 
Windows supports 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
LdapEnforceChannelBinding 0, 1 and 2.

But we don't support this, we just reject all sasl binds over tls...

I think it would be good to support and backport this to 4.20...
Comment 1 Samba QA Contact 2024-04-24 01:00:14 UTC 
This bug was referenced in samba master:

8deba427e2697501f10e80a2ac0325a657635b92
68f6a461e1706f03007d3c5cfc68c71383b4ff28
5844ef27aa46cba3d343035ccd35b03525db9843
6688945fa03f4a448708f729083ea4a1cdd1ab88
ac4bca77039cbc31323fb10b3706ed959a0cbbcd
60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e
15fb8fcc7b98c3eba8eab79b227127b4b71b096c
3186cdce85a58451e9d5a05468029a13621128c3
604413b98a23f28288ec4af11023717a9239e0fe
b8b874ef5e40d266a54501ba4523c6af7032ca00
493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5
c200cf1b5f430f686b39df8513a6b7e3c592ed43
2f2af3aa8a0366e6502751415a08413bf28ba0cb
cbd7ce44121246167e0c8a6d905180d82df1a2ef
9b92cbacac11fb64cca2c4770cbdce789525b87a
546e39a6fa122e6a40d1e62724e1712882ce3bce
e912ba579b1469c78ca65345ec1fe8376c74272c
f1d34a430d227e685e2fe983b14c74136d9c8a8e
1831006b77749dda902ae4ced0a96e5f14d89adb
811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f
6c17e3d2800723bafebd1986ab59a9422c881f0b
7acb15a53c061344ffdbd58f9b2f01f8b0233f4e
6794cc476249452c415881396bce4df663fc4fba
065da873296c23ef3b9051fba39be097cfff60fa
e1c4caed10d775e23cd7dc294f2cccce76866894
Comment 2 Stefan Metzmacher 2024-06-19 08:53:10 UTC 
Created attachment 18343 [details]
Patches for v4-20-test

The WHATSNEW patch needs to be integrated into the release flow...
Comment 3 Ralph Böhme 2024-06-19 09:13:49 UTC 
Reassigning to Jule for inclusion in 4.20.
Comment 4 Jule Anger 2024-06-19 09:24:06 UTC 
Pushed to autobuild-v4-20-test.
Comment 5 Jule Anger 2024-06-19 13:48:02 UTC 
Autobuild failed several times for samba-ad-dc-4b/samba-ad-dc-ntvfs with:

Trust to domain SAMBA2008R2 established
[1(0)/183 at 50s] samba3.wbinfo_user_info(fl2008r2dc:local)
[2(13)/183 at 51s] samba3.blackbox.nt4_trusts(fl2008r2dc)
[3(15)/183 at 51s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=no_check"(fl2008r2dc:local)(fl2008r2dc:local)
[4(16)/183 at 51s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_only"(fl2008r2dc:local)(fl2008r2dc:local)
[5(17)/183 at 52s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_and_name_if_available"(fl2008r2dc:local)(fl2008r2dc:local)
[6(18)/183 at 52s] samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD --option="tlsverifypeer=ca_and_name"(fl2008r2dc:local)(fl2008r2dc:local)
2024-06-19T12:24:45.776597+00:00 dc7.samba2008r2.example.com ldbsearch[911364]: TLS ../../source4/lib/tls/tls_tstream.c:1236 - no hostname available for verify_peer[ca_and_name] and peer_name[10.53.57.27]
Failed to connect to ldap URL 'ldaps://10.53.57.27' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldaps://10.53.57.27' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldaps://10.53.57.27 - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
UNEXPECTED(failure): samba4.ldb.simple.ldaps with options SERVER_IP --simple-bind-dn=Administrator@SAMBA2008R2.EXAMPLE.COM --password=locDCpass7 --option=tlsverifypeer=ca_and_name(fl2008r2dc:local).currentTime(fl2008r2dc:local)
REASON: Exception: Exception: No reason specified

Reassigning to Metze.
Comment 6 Stefan Metzmacher 2024-06-19 15:42:22 UTC 
Created attachment 18349 [details]
Patches for v4-20-test

The backport of 60df2a09a4394d2b494224ad3d33314079e73066 was missing and caused
the failures
Comment 7 Ralph Böhme 2024-07-05 09:45:30 UTC 
Reassigning to Jule for inclusion in 4.20.

Jule, please note the todo in patch 29/29:

[PATCH 29/29] TODO JULE-PLEASE-ADJUST-FOR-4-20 WHATSNEW: document
 ldap_server ldaps/tls channel binding support
Comment 8 Jule Anger 2024-07-09 09:58:57 UTC 
Pushed to autobuild-v4-20-test.

I will add the WHATSNEW patch to the next release notes.
Comment 9 Samba QA Contact 2024-07-09 10:54:04 UTC 
This bug was referenced in samba v4-20-test:

39ffaf056b268be05aca5f0ec0c7bb2dcbebacae
461f14259e269af5bbe858a3e6027856d644a109
52adc59a9263dd345a130ad1139c2757f9c95a1f
c117f54ceed81451d5d010f12828fd9b18551099
3e90d30bab90f5d762c224971a8029d0ca10369d
0c8fd43cc8347c566bbb0ac5f0cf021062482a06
1f0e6a447479d96abbfde9d8a2a57ea16c67de97
f1ca22f5577f26e640ddf22521f36eddbdb0283e
8989c3cd8ba34a4b92c3566306f0362302dd41e3
7a6ce2be813ea64a5871d49a019ca29a213bf8b9
254fa5041d6bc5bf037a3ce0a2dffff3ecff8879
b2f44b81751589fb3e32a7dd3899d41a80086424
6fec41bdb31dc9a0150ed0342eedc3354a100714
20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271
c86e8742373cfa022419de40427dba45239d0ae4
2668243de22135b8f605a59f16b5d23fddab3469
c41feb6c2a47860a38e971be8c0fb829dfb08706
1219bf3830120fa60c64a32ddc32899526510cd7
7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2
64d4c1cdcc3ba09d48680f8315716c195d199aca
7f2e3839f257d6c87d0b8f5e66ecd1a950964913
7c6c742106b14ab564bb24038266f53be9db915c
ac22551de3ec0d604ab431f738630ff25aa9062d
16b430e7401bb01cdaba7e39681d9d494228af03
Comment 10 Jule Anger 2024-07-09 11:02:47 UTC 
Closing out bug report.

Thanks!
Comment 11 Samba QA Contact 2024-08-02 12:14:13 UTC 
This bug was referenced in samba v4-20-stable (Release samba-4.20.3):

39ffaf056b268be05aca5f0ec0c7bb2dcbebacae
461f14259e269af5bbe858a3e6027856d644a109
52adc59a9263dd345a130ad1139c2757f9c95a1f
c117f54ceed81451d5d010f12828fd9b18551099
3e90d30bab90f5d762c224971a8029d0ca10369d
0c8fd43cc8347c566bbb0ac5f0cf021062482a06
1f0e6a447479d96abbfde9d8a2a57ea16c67de97
f1ca22f5577f26e640ddf22521f36eddbdb0283e
8989c3cd8ba34a4b92c3566306f0362302dd41e3
7a6ce2be813ea64a5871d49a019ca29a213bf8b9
254fa5041d6bc5bf037a3ce0a2dffff3ecff8879
b2f44b81751589fb3e32a7dd3899d41a80086424
6fec41bdb31dc9a0150ed0342eedc3354a100714
20d5335dc1f2ee6b33ba9d10467ca0d9fe7b7271
c86e8742373cfa022419de40427dba45239d0ae4
2668243de22135b8f605a59f16b5d23fddab3469
c41feb6c2a47860a38e971be8c0fb829dfb08706
1219bf3830120fa60c64a32ddc32899526510cd7
7b62c5f7d2419af3f29251ecd9e50811b0e7a4b2
64d4c1cdcc3ba09d48680f8315716c195d199aca
7f2e3839f257d6c87d0b8f5e66ecd1a950964913
7c6c742106b14ab564bb24038266f53be9db915c
ac22551de3ec0d604ab431f738630ff25aa9062d
16b430e7401bb01cdaba7e39681d9d494228af03