AW: computer account change password with Windows 2008 domain
Michael Engemann
engemam at uni-muenster.de
Tue Jan 13 11:46:21 EST 2009
Hi Ross,
thank you very much for the information about the hotfix.
May I ask if you have experienced any issues since applying the hotfix on your production servers? I ask because I wonder why this hotfix hasn't been released publicly yet.
Thanks,
Michael
> -----Ursprüngliche Nachricht-----
> Von: Wilper, Ross A [mailto:rwilper at stanford.edu]
> Gesendet: Mittwoch, 7. Januar 2009 20:29
> An: Russ Allbery; Michael Engemann
> Cc: kerberos at mit.edu
> Betreff: RE: computer account change password with Windows 2008 domain
>
> The QoP negotiation issue is fixed by the hotfix with KB article
> 957072.
> This has been applied to our systems, but as of yet, I have not seen
> that this hotfix has been released publicly. So you would need to
> contact MS support for the hotfix
>
> -Ross
>
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Russ Allbery
> Sent: Wednesday, January 07, 2009 10:45 AM
> To: Michael Engemann
> Cc: kerberos at mit.edu
> Subject: Re: computer account change password with Windows 2008 domain
>
> Michael Engemann <engemam at uni-muenster.de> writes:
>
> > we are also experiencing the bug in Windows Server 2008 that was
> > mentionend on this list in April 2008 by Russ Allberry:
> >
> > * Microsoft broke password changes via the LDAP protocol with SASL
> GSSAPI
> > binds in Windows 2008. In Windows 2003, provided that you didn't
> try to
> > negotiate an SASL privacy layer, you could connect via TLS and
> > authenticate with GSSAPI and query or set the password attribute
> > directly. In Windows 2008, this no longer works; you always get
> the
> > error from the server that you are not permitted to negotiate a
> privacy
> > layer when using TLS, even though you're not trying to. We've
> already
> > filed this as a bug.
> >
> > Are there probably any news about a fix or a known workaround?
>
> The workaround is to use the password change protocol instead of using
> LDAP. That's what we modified our code to do, since so far as I know
> Microsoft still hasn't fixed this bug. (Their negotiation of GSSAPI
> privacy layers in their LDAP implementation is oddly broken in ways
> that
> are apparently difficult to fix, leading the server to think that
> you've
> always negotiated a privacy layer even if you haven't. At least that's
> my understanding of the problem.)
>
> --
> Russ Allbery (rra at stanford.edu)
> <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list