search for: ldapenforcechannelbind

...t.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements If they say 'just use SSL', then the allow_sasl_over_tls part of that option is to address this issue: https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry We (and likely they) don't support the channel bindings (patches welcome!), but the protocol flaw (no link between the SSL and the NTLM/Kerberos handshake inside) is the one we are trying to avoid. The manpage is vague because we fixed our implementation before they did the...

Mandi! Andrew Bartlett via samba In chel di` si favelave... > > This mean that the printer try to auth in LDAP 'plain' (no SSL, no > > TLS), and so samba refuse that? > No, it means that Samba is refusing to accept a NTLM or Kerberos > authenticated connection without SIGN or SEAL negotiated, as an > attacker could take over an unprotected network connection and do