[29617] in Kerberos
RE: computer account change password with Windows 2008 domain
daemon@ATHENA.MIT.EDU (Tim Alsop)
Tue Apr 1 17:30:55 2008
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 1 Apr 2008 22:28:19 +0100
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D3048A5FF@postman-pat.csafe.local>
In-Reply-To: <87prt96zs9.fsf@windlord.stanford.edu>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Com>
To: "Russ Allbery" <rra@stanford.edu>
Cc: Srinivas Cheruku <srinivas.cheruku@CyberSafe.Com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ,
That's great information, thanks.
We are using Kerberos set password protocol to change/set the computer
account password, but since the SPN used contains a / I suspect we are
experiencing the same issues you described.
If you have any reference numbers for your problems, then I would like
to mention them to MS when I talk to them tomorrow.
Thanks,
Tim
-----Original Message-----
From: Russ Allbery [mailto:rra@stanford.edu]
Sent: 01 April 2008 22:17
To: Tim Alsop
Cc: kerberos@mit.edu
Subject: Re: computer account change password with Windows 2008 domain
"Tim Alsop" <Tim.Alsop@CyberSafe.Com> writes:
> We have discovered a problem when we try to set/change password for a
> computer account in AD on Windows Server 2008. The computer account is
> created so we can use it for a service/application, and the key is
> created from it's password (randomly generated) and extracted into a
key
> table file.
>
> Our code is able to create the account (authenticating to AD using
> SASL/GSS/Kerberos) but when we try and set the computer account's
> password to a random value, the request is rejected, so it looks like
AD
> on Windows 2008 has some changes which stop password changes for
> computer accounts, or maybe something which is stopping changes to
> passwords for accounts that use a principal name such as
> name/fqdn@REALM.
You don't say here *how* you're changing the password, but there are two
Active Directory bugs in Windows 2008 that you may be running into:
* Authentication to Active Directory using a principal that contains a
slash (such as service/foo) from a keytab generated by the Windows
tool
is broken in Windows 2008. It works fine if there is no slash in the
principal. Microsoft has identified this as a bug and is working on a
fix.
* Microsoft broke password changes via the LDAP protocol with SASL
GSSAPI
binds in Windows 2008. In Windows 2003, provided that you didn't try
to
negotiate an SASL privacy layer, you could connect via TLS and
authenticate with GSSAPI and query or set the password attribute
directly. In Windows 2008, this no longer works; you always get the
error from the server that you are not permitted to negotiate a
privacy
layer when using TLS, even though you're not trying to. We've already
filed this as a bug.
In both cases, if you have a support contract with Microsoft and this is
a
problem that you're running into, please independently open your own
bug;
the more customers they know this affects, the more likely we'll get a
hot
fix.
--
Russ Allbery (rra@stanford.edu)
<http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
