AW: computer account change password with Windows 2008 domain

Michael Engemann engemam at uni-muenster.de
Wed Jan 7 10:10:28 EST 2009


Hi Tim,

can you tell me than what am I doing wrong? 
Even a simple ldapsearch that was functioning for Windows 2003 throws an error for 2008:


ldapsearch -Hldap://fqdn -b "" -s base -Omaxssf=0 -ZZ
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
        additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771

Thanks,

Michael


> -----Ursprüngliche Nachricht-----
> Von: Tim Alsop [mailto:Tim.Alsop at CyberSafe.com]
> Gesendet: Mittwoch, 7. Januar 2009 15:57
> An: Michael Engemann; kerberos at mit.edu
> Betreff: RE: computer account change password with Windows 2008 domain
> 
> Hi,
> 
> We are able to change/set passwords using Kerberos/GSS-API/SASL/LDAP
> when using Active Directory on Windows Server 2008.
> 
> Thanks,
> Tim
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Michael Engemann
> Sent: 07 January 2009 14:46
> To: kerberos at mit.edu
> Subject: computer account change password with Windows 2008 domain
> 
> Hi,
> 
> we are also experiencing the bug in Windows Server 2008 that was
> mentionend on this list in April 2008 by Russ Allberry:
> 
> * Microsoft broke password changes via the LDAP protocol with SASL
> GSSAPI
>   binds in Windows 2008.  In Windows 2003, provided that you didn't try
> to
>   negotiate an SASL privacy layer, you could connect via TLS and
>   authenticate with GSSAPI and query or set the password attribute
>   directly.  In Windows 2008, this no longer works; you always get the
>   error from the server that you are not permitted to negotiate a
> privacy
>   layer when using TLS, even though you're not trying to.  We've
> already
>   filed this as a bug.
> 
> Are there probably any news about a fix or a known workaround?
> 
> Thanks in advance,
> 
> Michael
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list