computer account change password with Windows 2008 domain

Wilper, Ross A rwilper at stanford.edu
Wed Jan 7 15:34:13 EST 2009


I'll jump in again and state that Windows 2000 did not support setting
unicodePwd using anything other than LDAPS, but Windows 2003 and 2008 do
support using SASL with "auth-conf" (SASL confidentiality is now the
default mechanism in the ADSI libraries) The MS documents are fairly
confusing, but I have code that sets password using ADSI on port 389
after setting Kerberos encryption.

password and unicodePwd cannot be viewed and I think that after Windows
2000, password cannot be set (only unicodePwd) 

Again, there are bugs in auth-conf and service principal binds (UPN with
a "/") in Windows 2008 that require hotfixes and only the latter hotfix
is public.

(My plane is boarding now, gotta run)

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Russ Allbery
Sent: Wednesday, January 07, 2009 12:04 PM
To: Michael B Allen
Cc: kerberos at mit.edu
Subject: Re: computer account change password with Windows 2008 domain

"Michael B Allen" <ioplex at gmail.com> writes:

> Do you know if works when SASL confidentiality is used instead of TLS?

It does not.  Microsoft's LDAP implementation requires TLS in order to
view or change the password attribute.  I don't know of any technical
reason why SASL confidentiality wouldn't be sufficient (provided the
negotiated strength were high enough), but their implementation doesn't
appear to support this.

> Is there any method that works at all?

> I'm sure a lot of people would like know exactly what privacy
> establishment methods allow you to set unicodePwd over LDAP.

Under Windows 2008, so far as I can determine, the only supported way to
set unicodePwd over LDAP is to use password binds with TLS.  I don't
believe this is intentional -- Microsoft acknowledges that it's a bug
rather than a design intention -- but as long as the bug is present, it
amounts to the same thing.

-- 
Russ Allbery (rra at stanford.edu)
<http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list