computer account change password with Windows 2008 domain

Michael B Allen ioplex at gmail.com
Wed Jan 7 14:45:38 EST 2009


On Wed, Jan 7, 2009 at 1:45 PM, Russ Allbery <rra at stanford.edu> wrote:
> Michael Engemann <engemam at uni-muenster.de> writes:
>
>> we are also experiencing the bug in Windows Server 2008 that was
>> mentionend on this list in April 2008 by Russ Allberry:
>>
>> * Microsoft broke password changes via the LDAP protocol with SASL GSSAPI
>>   binds in Windows 2008.  In Windows 2003, provided that you didn't try to
>>   negotiate an SASL privacy layer, you could connect via TLS and
>>   authenticate with GSSAPI and query or set the password attribute
>>   directly.  In Windows 2008, this no longer works; you always get the
>>   error from the server that you are not permitted to negotiate a privacy
>>   layer when using TLS, even though you're not trying to.  We've already
>>   filed this as a bug.
>>
>> Are there probably any news about a fix or a known workaround?
>
> The workaround is to use the password change protocol instead of using
> LDAP.  That's what we modified our code to do, since so far as I know
> Microsoft still hasn't fixed this bug.  (Their negotiation of GSSAPI
> privacy layers in their LDAP implementation is oddly broken in ways that
> are apparently difficult to fix, leading the server to think that you've
> always negotiated a privacy layer even if you haven't.  At least that's
> my understanding of the problem.)

Russ,

Do you know if works when SASL confidentiality is used instead of TLS?

Is there any method that works at all?

I'm sure a lot of people would like know exactly what privacy
establishment methods allow you to set unicodePwd over LDAP.

Fortunately our product has always used the KPASSWD protocol for
password setting, password changing and generating keytabs but I had
also planned to offer LDAP password setting as an option. Hopefully
there are other methods that work without TLS (TLS is kind of a pain
anyway).

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/



More information about the Kerberos mailing list