computer account change password with Windows 2008 domain

Russ Allbery rra at stanford.edu
Wed Jan 7 13:45:29 EST 2009


Michael Engemann <engemam at uni-muenster.de> writes:

> we are also experiencing the bug in Windows Server 2008 that was
> mentionend on this list in April 2008 by Russ Allberry:
>
> * Microsoft broke password changes via the LDAP protocol with SASL GSSAPI
>   binds in Windows 2008.  In Windows 2003, provided that you didn't try to
>   negotiate an SASL privacy layer, you could connect via TLS and
>   authenticate with GSSAPI and query or set the password attribute
>   directly.  In Windows 2008, this no longer works; you always get the
>   error from the server that you are not permitted to negotiate a privacy
>   layer when using TLS, even though you're not trying to.  We've already
>   filed this as a bug.
>
> Are there probably any news about a fix or a known workaround?

The workaround is to use the password change protocol instead of using
LDAP.  That's what we modified our code to do, since so far as I know
Microsoft still hasn't fixed this bug.  (Their negotiation of GSSAPI
privacy layers in their LDAP implementation is oddly broken in ways that
are apparently difficult to fix, leading the server to think that you've
always negotiated a privacy layer even if you haven't.  At least that's
my understanding of the problem.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list