AW: computer account change password with Windows 2008 domain

Michael Engemann engemam at uni-muenster.de
Wed Jan 21 02:41:54 EST 2009


Hi Ross,

I just wanted to mention that by my own tests I can confirm that, although the hotfix is not listed in the SP2 patch list, the hotfix or the equivalent functionality is included in SP2. This is also true for the recently released public beta1 of Windows Server 2008 R2.

Michael


> -----Ursprüngliche Nachricht-----
> Von: Wilper, Ross A [mailto:rwilper at stanford.edu]
> Gesendet: Dienstag, 13. Januar 2009 18:03
> An: Michael Engemann; Russ Allbery
> Cc: kerberos at mit.edu
> Betreff: RE: computer account change password with Windows 2008 domain
> 
> This hotfix is installed on 4 of our 5 forests and have not seen any
> issues with it. I will note that our production authentication forest
> is the one that it is not on since we have been delayed deploying
> Windows 2008 there. On the other hand, we put infrastructure and client
> development servers into our UAT forest which does have this patch - so
> we do have Exchange, Outlook, and many 3rd-party + home grown apps on
> both Windows and Unix hitting a patched environment.
> 
> From the chatter I heard during the case, they had to make some deep
> changes in LDAP to fix the behavior, but I am also surprised that the
> patch has still not gone public. I have been poking a bit. I just
> checked the patch list for Service Pack 2 and I do not see it listed
> there either.
> 
> -Ross
> 
> -----Original Message-----
> From: Michael Engemann [mailto:engemam at uni-muenster.de]
> Sent: Tuesday, January 13, 2009 8:46 AM
> To: Wilper, Ross A; Russ Allbery; Michael Engemann
> Cc: kerberos at mit.edu
> Subject: AW: computer account change password with Windows 2008 domain
> 
> Hi Ross,
> 
> thank you very much for the information about the hotfix.
> May I ask if you have experienced any issues since applying the hotfix
> on your production servers? I ask because I wonder why this hotfix
> hasn't been released publicly yet.
> 
> Thanks,
> 
> Michael
> 
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Wilper, Ross A [mailto:rwilper at stanford.edu]
> > Gesendet: Mittwoch, 7. Januar 2009 20:29
> > An: Russ Allbery; Michael Engemann
> > Cc: kerberos at mit.edu
> > Betreff: RE: computer account change password with Windows 2008
> domain
> >
> > The QoP negotiation issue is fixed by the hotfix with KB article
> > 957072.
> > This has been applied to our systems, but as of yet, I have not seen
> > that this hotfix has been released publicly. So you would need to
> > contact MS support for the hotfix
> >
> > -Ross
> >
> >
> > -----Original Message-----
> > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> > Behalf Of Russ Allbery
> > Sent: Wednesday, January 07, 2009 10:45 AM
> > To: Michael Engemann
> > Cc: kerberos at mit.edu
> > Subject: Re: computer account change password with Windows 2008
> domain
> >
> > Michael Engemann <engemam at uni-muenster.de> writes:
> >
> > > we are also experiencing the bug in Windows Server 2008 that was
> > > mentionend on this list in April 2008 by Russ Allberry:
> > >
> > > * Microsoft broke password changes via the LDAP protocol with SASL
> > GSSAPI
> > >   binds in Windows 2008.  In Windows 2003, provided that you didn't
> > try to
> > >   negotiate an SASL privacy layer, you could connect via TLS and
> > >   authenticate with GSSAPI and query or set the password attribute
> > >   directly.  In Windows 2008, this no longer works; you always get
> > the
> > >   error from the server that you are not permitted to negotiate a
> > privacy
> > >   layer when using TLS, even though you're not trying to.  We've
> > already
> > >   filed this as a bug.
> > >
> > > Are there probably any news about a fix or a known workaround?
> >
> > The workaround is to use the password change protocol instead of
> using
> > LDAP.  That's what we modified our code to do, since so far as I know
> > Microsoft still hasn't fixed this bug.  (Their negotiation of GSSAPI
> > privacy layers in their LDAP implementation is oddly broken in ways
> > that
> > are apparently difficult to fix, leading the server to think that
> > you've
> > always negotiated a privacy layer even if you haven't.  At least
> that's
> > my understanding of the problem.)
> >
> > --
> > Russ Allbery (rra at stanford.edu)
> > <http://www.eyrie.org/~eagle/>
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list