AW: computer account change password with Windows 2008 domain

Michael Engemann engemam at uni-muenster.de
Tue Jan 13 11:46:21 EST 2009


Hi Ross,

thank you very much for the information about the hotfix. 
May I ask if you have experienced any issues since applying the hotfix on your production servers? I ask because I wonder why this hotfix hasn't been released publicly yet.

Thanks,

Michael


> -----Ursprüngliche Nachricht-----
> Von: Wilper, Ross A [mailto:rwilper at stanford.edu]
> Gesendet: Mittwoch, 7. Januar 2009 20:29
> An: Russ Allbery; Michael Engemann
> Cc: kerberos at mit.edu
> Betreff: RE: computer account change password with Windows 2008 domain
> 
> The QoP negotiation issue is fixed by the hotfix with KB article
> 957072.
> This has been applied to our systems, but as of yet, I have not seen
> that this hotfix has been released publicly. So you would need to
> contact MS support for the hotfix
> 
> -Ross
> 
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Russ Allbery
> Sent: Wednesday, January 07, 2009 10:45 AM
> To: Michael Engemann
> Cc: kerberos at mit.edu
> Subject: Re: computer account change password with Windows 2008 domain
> 
> Michael Engemann <engemam at uni-muenster.de> writes:
> 
> > we are also experiencing the bug in Windows Server 2008 that was
> > mentionend on this list in April 2008 by Russ Allberry:
> >
> > * Microsoft broke password changes via the LDAP protocol with SASL
> GSSAPI
> >   binds in Windows 2008.  In Windows 2003, provided that you didn't
> try to
> >   negotiate an SASL privacy layer, you could connect via TLS and
> >   authenticate with GSSAPI and query or set the password attribute
> >   directly.  In Windows 2008, this no longer works; you always get
> the
> >   error from the server that you are not permitted to negotiate a
> privacy
> >   layer when using TLS, even though you're not trying to.  We've
> already
> >   filed this as a bug.
> >
> > Are there probably any news about a fix or a known workaround?
> 
> The workaround is to use the password change protocol instead of using
> LDAP.  That's what we modified our code to do, since so far as I know
> Microsoft still hasn't fixed this bug.  (Their negotiation of GSSAPI
> privacy layers in their LDAP implementation is oddly broken in ways
> that
> are apparently difficult to fix, leading the server to think that
> you've
> always negotiated a privacy layer even if you haven't.  At least that's
> my understanding of the problem.)
> 
> --
> Russ Allbery (rra at stanford.edu)
> <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list