computer account change password with Windows 2008 domain

Wilper, Ross A rwilper at stanford.edu
Wed Jan 7 14:29:23 EST 2009


The QoP negotiation issue is fixed by the hotfix with KB article 957072.
This has been applied to our systems, but as of yet, I have not seen
that this hotfix has been released publicly. So you would need to
contact MS support for the hotfix

-Ross


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Russ Allbery
Sent: Wednesday, January 07, 2009 10:45 AM
To: Michael Engemann
Cc: kerberos at mit.edu
Subject: Re: computer account change password with Windows 2008 domain

Michael Engemann <engemam at uni-muenster.de> writes:

> we are also experiencing the bug in Windows Server 2008 that was
> mentionend on this list in April 2008 by Russ Allberry:
>
> * Microsoft broke password changes via the LDAP protocol with SASL
GSSAPI
>   binds in Windows 2008.  In Windows 2003, provided that you didn't
try to
>   negotiate an SASL privacy layer, you could connect via TLS and
>   authenticate with GSSAPI and query or set the password attribute
>   directly.  In Windows 2008, this no longer works; you always get the
>   error from the server that you are not permitted to negotiate a
privacy
>   layer when using TLS, even though you're not trying to.  We've
already
>   filed this as a bug.
>
> Are there probably any news about a fix or a known workaround?

The workaround is to use the password change protocol instead of using
LDAP.  That's what we modified our code to do, since so far as I know
Microsoft still hasn't fixed this bug.  (Their negotiation of GSSAPI
privacy layers in their LDAP implementation is oddly broken in ways that
are apparently difficult to fix, leading the server to think that you've
always negotiated a privacy layer even if you haven't.  At least that's
my understanding of the problem.)

-- 
Russ Allbery (rra at stanford.edu)
<http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list