Hi Tim, can you tell me than what am I doing wrong? Even a simple ldapsearch that was functioning for Windows 2003 throws an error for 2008:
ldapsearch -Hldap://fqdn -b "" -s base -Omaxssf=0 -ZZ SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 Thanks, Michael > -----Ursprüngliche Nachricht----- > Von: Tim Alsop [mailto:[email protected]] > Gesendet: Mittwoch, 7. Januar 2009 15:57 > An: Michael Engemann; [email protected] > Betreff: RE: computer account change password with Windows 2008 domain > > Hi, > > We are able to change/set passwords using Kerberos/GSS-API/SASL/LDAP > when using Active Directory on Windows Server 2008. > > Thanks, > Tim > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Michael Engemann > Sent: 07 January 2009 14:46 > To: [email protected] > Subject: computer account change password with Windows 2008 domain > > Hi, > > we are also experiencing the bug in Windows Server 2008 that was > mentionend on this list in April 2008 by Russ Allberry: > > * Microsoft broke password changes via the LDAP protocol with SASL > GSSAPI > binds in Windows 2008. In Windows 2003, provided that you didn't try > to > negotiate an SASL privacy layer, you could connect via TLS and > authenticate with GSSAPI and query or set the password attribute > directly. In Windows 2008, this no longer works; you always get the > error from the server that you are not permitted to negotiate a > privacy > layer when using TLS, even though you're not trying to. We've > already > filed this as a bug. > > Are there probably any news about a fix or a known workaround? > > Thanks in advance, > > Michael > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
