[29605] in Kerberos
computer account change password with Windows 2008 domain
daemon@ATHENA.MIT.EDU (Tim Alsop)
Tue Apr 1 09:04:27 2008
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 1 Apr 2008 14:02:18 +0100
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D3048A5F5@postman-pat.csafe.local>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
We have discovered a problem when we try to set/change password for a
computer account in AD on Windows Server 2008. The computer account is
created so we can use it for a service/application, and the key is
created from it's password (randomly generated) and extracted into a key
table file.
Our code is able to create the account (authenticating to AD using
SASL/GSS/Kerberos) but when we try and set the computer account's
password to a random value, the request is rejected, so it looks like AD
on Windows 2008 has some changes which stop password changes for
computer accounts, or maybe something which is stopping changes to
passwords for accounts that use a principal name such as
name/fqdn@REALM.
The same code works perfectly on Windows Server 2003 domains, so we
suspect some changes in Windows Server 2008 have caused this set/change
password restriction.
Does anybody have any experience of same problem ?
Thanks,
Tim
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
