[bcc dochelp]
Hi Metze
Thank you for contacting Protocol Support. We created SR Case -
TrackingID#2309280040006657 to track the issue.
Please do leave this tag - TrackingID#2309280040006657 in the subject for
future reference.
One our engineers will be contacting you shortly.
Hung-Chun Yu
hu...@microsoft.com
DevOps Customer Service & Support
My working hours are Monday to Friday 9am-6pm PST
If you need assistance outside of my working hours, please call and request to
work with the next available engineer:
Our Premier Support line may be reached 24x7 at 1-800-936- 3100
Our Government Premier Support Number is 1-800-936-3200
Our Professional Support Number 1-800-936-5800
Providing excellent support is my primary objective.
Feel free to reach out to my manager to provide feedback:
Gary Ranne, gar...@microsoft.com
For devops escalations please contact stacy gray
Stacy Gray, stac...@microsoft.com
-----Original Message-----
From: Stefan Metzmacher <me...@samba.org>
Sent: Thursday, September 28, 2023 7:20 AM
To: Interoperability Documentation Help <doch...@microsoft.com>
Cc: cifs-protocol@lists.samba.org
Subject: [EXTERNAL] LdapEnforceChannelBinding details
Hi DocHelp,
I'm trying to connect to a server with LdapEnforceChannelBinding=2 and can't
get it working.
MS-NLMP specifies ClientChannelBindingsUnhashed and
ServerChannelBindingsUnhashed as input from the application.
MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint"
channel bindings should be used.
Can you please document with examples values how ServerChannelBindingsUnhashed
is constructed.
I'm getting these 32 bytes from
gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
[0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r..
And I'm also getting this when I manually copy the certificate blob from the
TLS1.2 Server Certificate message and do a sha256sum on it.
I tried the following already.
4-zero bytes for initiator_addrtype
4-zero bytes for initiator_address.length 4-zero bytes for acceptor_addrtype
4-zero bytes for acceptor_address.length
4 little endian bytes for '32' application_data.length
32 bytes for application_data.data
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 00 00 00 00 ....
[0000] 20 00 00 00 ...
[0000] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|..
[0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk.... <.'].r..
And the resulting MD5 hash over all of this is:
[0000] 00 3D 9C 0F D6 63 38 B1 B0 F8 53 63 A8 0A C8 6D .=...c8. ..Sc...m
And I put this into the MTLMv2 exchange:
pair: struct AV_PAIR
AvId : MsvChannelBindings (0xA)
AvLen : 0x0010 (16)
Value : union ntlmssp_AvValue(case 0xA)
ChannelBindings : 003d9c0fd66338b1b0f85363a80ac86d
LDAP error 49 LDAP_INVALID_CREDENTIALS - <80090346: LdapErr: DSID-0C0905E2,
comment: AcceptSecurityContext error, data 80090346, v3839>
80090346 is HRES_SEC_E_BAD_BINDINGS
Can you please clarify this?
Thanks!
metze
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
