[30602] in Kerberos
RE: computer account change password with Windows 2008 domain
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Wed Jan 7 15:48:43 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 7 Jan 2009 12:34:13 -0800
Message-ID: <B9BF119F687A824C8A49C4E4ED6957680152F86A@its-exchmb01.stanford.edu>
In-Reply-To: <87priyyjcb.fsf@windlord.stanford.edu>
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: "Russ Allbery" <rra@stanford.edu>, "Michael B Allen" <ioplex@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'll jump in again and state that Windows 2000 did not support setting
unicodePwd using anything other than LDAPS, but Windows 2003 and 2008 do
support using SASL with "auth-conf" (SASL confidentiality is now the
default mechanism in the ADSI libraries) The MS documents are fairly
confusing, but I have code that sets password using ADSI on port 389
after setting Kerberos encryption.
password and unicodePwd cannot be viewed and I think that after Windows
2000, password cannot be set (only unicodePwd)
Again, there are bugs in auth-conf and service principal binds (UPN with
a "/") in Windows 2008 that require hotfixes and only the latter hotfix
is public.
(My plane is boarding now, gotta run)
-Ross
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Russ Allbery
Sent: Wednesday, January 07, 2009 12:04 PM
To: Michael B Allen
Cc: kerberos@mit.edu
Subject: Re: computer account change password with Windows 2008 domain
"Michael B Allen" <ioplex@gmail.com> writes:
> Do you know if works when SASL confidentiality is used instead of TLS?
It does not. Microsoft's LDAP implementation requires TLS in order to
view or change the password attribute. I don't know of any technical
reason why SASL confidentiality wouldn't be sufficient (provided the
negotiated strength were high enough), but their implementation doesn't
appear to support this.
> Is there any method that works at all?
> I'm sure a lot of people would like know exactly what privacy
> establishment methods allow you to set unicodePwd over LDAP.
Under Windows 2008, so far as I can determine, the only supported way to
set unicodePwd over LDAP is to use password binds with TLS. I don't
believe this is intentional -- Microsoft acknowledges that it's a bug
rather than a design intention -- but as long as the bug is present, it
amounts to the same thing.
--
Russ Allbery (rra@stanford.edu)
<http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
