[30594] in Kerberos
AW: computer account change password with Windows 2008 domain
daemon@ATHENA.MIT.EDU (Michael Engemann)
Wed Jan 7 10:11:49 2009
From: Michael Engemann <engemam@uni-muenster.de>
To: Tim Alsop <Tim.Alsop@CyberSafe.com>,
Michael Engemann
<engemam@uni-muenster.de>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 7 Jan 2009 16:10:28 +0100
Message-ID: <B9FF9EF243E4FA488E3C48DEC932F49137698D35DD@EXCHANGE.wwu.de>
In-Reply-To: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E4902EEF@exchange.cybersafe.local>
Content-Language: de-DE
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Tim,
can you tell me than what am I doing wrong?
Even a simple ldapsearch that was functioning for Windows 2003 throws an error for 2008:
ldapsearch -Hldap://fqdn -b "" -s base -Omaxssf=0 -ZZ
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771
Thanks,
Michael
> -----Ursprüngliche Nachricht-----
> Von: Tim Alsop [mailto:Tim.Alsop@CyberSafe.com]
> Gesendet: Mittwoch, 7. Januar 2009 15:57
> An: Michael Engemann; kerberos@mit.edu
> Betreff: RE: computer account change password with Windows 2008 domain
>
> Hi,
>
> We are able to change/set passwords using Kerberos/GSS-API/SASL/LDAP
> when using Active Directory on Windows Server 2008.
>
> Thanks,
> Tim
>
> -----Original Message-----
> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
> Behalf Of Michael Engemann
> Sent: 07 January 2009 14:46
> To: kerberos@mit.edu
> Subject: computer account change password with Windows 2008 domain
>
> Hi,
>
> we are also experiencing the bug in Windows Server 2008 that was
> mentionend on this list in April 2008 by Russ Allberry:
>
> * Microsoft broke password changes via the LDAP protocol with SASL
> GSSAPI
> binds in Windows 2008. In Windows 2003, provided that you didn't try
> to
> negotiate an SASL privacy layer, you could connect via TLS and
> authenticate with GSSAPI and query or set the password attribute
> directly. In Windows 2008, this no longer works; you always get the
> error from the server that you are not permitted to negotiate a
> privacy
> layer when using TLS, even though you're not trying to. We've
> already
> filed this as a bug.
>
> Are there probably any news about a fix or a known workaround?
>
> Thanks in advance,
>
> Michael
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
