computer account change password with Windows 2008 domain
Wilper, Ross A
rwilper at stanford.edu
Tue Jan 13 12:03:10 EST 2009
This hotfix is installed on 4 of our 5 forests and have not seen any issues with it. I will note that our production authentication forest is the one that it is not on since we have been delayed deploying Windows 2008 there. On the other hand, we put infrastructure and client development servers into our UAT forest which does have this patch - so we do have Exchange, Outlook, and many 3rd-party + home grown apps on both Windows and Unix hitting a patched environment.
>From the chatter I heard during the case, they had to make some deep changes in LDAP to fix the behavior, but I am also surprised that the patch has still not gone public. I have been poking a bit. I just checked the patch list for Service Pack 2 and I do not see it listed there either.
-Ross
-----Original Message-----
From: Michael Engemann [mailto:engemam at uni-muenster.de]
Sent: Tuesday, January 13, 2009 8:46 AM
To: Wilper, Ross A; Russ Allbery; Michael Engemann
Cc: kerberos at mit.edu
Subject: AW: computer account change password with Windows 2008 domain
Hi Ross,
thank you very much for the information about the hotfix.
May I ask if you have experienced any issues since applying the hotfix on your production servers? I ask because I wonder why this hotfix hasn't been released publicly yet.
Thanks,
Michael
> -----Ursprüngliche Nachricht-----
> Von: Wilper, Ross A [mailto:rwilper at stanford.edu]
> Gesendet: Mittwoch, 7. Januar 2009 20:29
> An: Russ Allbery; Michael Engemann
> Cc: kerberos at mit.edu
> Betreff: RE: computer account change password with Windows 2008 domain
>
> The QoP negotiation issue is fixed by the hotfix with KB article
> 957072.
> This has been applied to our systems, but as of yet, I have not seen
> that this hotfix has been released publicly. So you would need to
> contact MS support for the hotfix
>
> -Ross
>
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Russ Allbery
> Sent: Wednesday, January 07, 2009 10:45 AM
> To: Michael Engemann
> Cc: kerberos at mit.edu
> Subject: Re: computer account change password with Windows 2008 domain
>
> Michael Engemann <engemam at uni-muenster.de> writes:
>
> > we are also experiencing the bug in Windows Server 2008 that was
> > mentionend on this list in April 2008 by Russ Allberry:
> >
> > * Microsoft broke password changes via the LDAP protocol with SASL
> GSSAPI
> > binds in Windows 2008. In Windows 2003, provided that you didn't
> try to
> > negotiate an SASL privacy layer, you could connect via TLS and
> > authenticate with GSSAPI and query or set the password attribute
> > directly. In Windows 2008, this no longer works; you always get
> the
> > error from the server that you are not permitted to negotiate a
> privacy
> > layer when using TLS, even though you're not trying to. We've
> already
> > filed this as a bug.
> >
> > Are there probably any news about a fix or a known workaround?
>
> The workaround is to use the password change protocol instead of using
> LDAP. That's what we modified our code to do, since so far as I know
> Microsoft still hasn't fixed this bug. (Their negotiation of GSSAPI
> privacy layers in their LDAP implementation is oddly broken in ways
> that
> are apparently difficult to fix, leading the server to think that
> you've
> always negotiated a privacy layer even if you haven't. At least that's
> my understanding of the problem.)
>
> --
> Russ Allbery (rra at stanford.edu)
> <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list