Bug 1804121 - samba: ADV190023 breaks SASL authenticated bind over TLS
Summary: samba: ADV190023 breaks SASL authenticated bind over TLS
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: samba
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Isaac Boukris
QA Contact: QE contact list for Identity Management :: Authentication and File Services subteam
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-18 09:27 UTC by Isaac Boukris
Modified: 2020-07-05 14:38 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1822737 None None None 2020-04-09 18:32:07 UTC
Red Hat Knowledge Base (Article) 4661861 None None None 2020-03-03 07:41:03 UTC

Internal Links: 1822737

Description Isaac Boukris 2020-02-18 09:27:22 UTC
Description of problem:

MS advisory announced an update due in a couple of months, requiring ldap-signing and channel-binding by default, this will break samba client when configured with "ldap ssl ads = yes" since samba use sasl authentication (kerberos, not simple auth).

Note: currently to get  "ldap ssl ads = yes" working against Windows DC you must also set "client ldap sasl wrapping = plain" as windows does not allow sasl-wrapping over TLS.

How reproducible:

Always

Steps to Reproduce:
1. configure "ldap ssl ads = yes" and "client ldap sasl wrapping = plain" and make sure net-ads-search command works against AD.
2. Enable the require signing GPO and set registry LdapEnforceChannelBinding=2 per ADV190023.
3. run net-ads command, see that it fails.

$ net ads -U"administrator@ACME.COM%Secret123" -d3 search cn=admin

Successfully contacted LDAP server 192.168.0.120
Connected to LDAP server adc.ACME.COM
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm[ACME.COM]: Invalid credentials
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm=[ACME.COM]: Invalid credentials
return code = -1

Comment 1 Isaac Boukris 2020-02-18 09:53:31 UTC
Note, to get "ldap ssl ads = yes" working you'd also need to install the CA certificate or set "TLS_REQCERT allow" in ldap.conf for testing.


Note You need to log in before you can comment on or make changes to this bug.