Hi Ross, thank you very much for the information about the hotfix. May I ask if you have experienced any issues since applying the hotfix on your production servers? I ask because I wonder why this hotfix hasn't been released publicly yet.
Thanks, Michael > -----Ursprüngliche Nachricht----- > Von: Wilper, Ross A [mailto:[email protected]] > Gesendet: Mittwoch, 7. Januar 2009 20:29 > An: Russ Allbery; Michael Engemann > Cc: [email protected] > Betreff: RE: computer account change password with Windows 2008 domain > > The QoP negotiation issue is fixed by the hotfix with KB article > 957072. > This has been applied to our systems, but as of yet, I have not seen > that this hotfix has been released publicly. So you would need to > contact MS support for the hotfix > > -Ross > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Russ Allbery > Sent: Wednesday, January 07, 2009 10:45 AM > To: Michael Engemann > Cc: [email protected] > Subject: Re: computer account change password with Windows 2008 domain > > Michael Engemann <[email protected]> writes: > > > we are also experiencing the bug in Windows Server 2008 that was > > mentionend on this list in April 2008 by Russ Allberry: > > > > * Microsoft broke password changes via the LDAP protocol with SASL > GSSAPI > > binds in Windows 2008. In Windows 2003, provided that you didn't > try to > > negotiate an SASL privacy layer, you could connect via TLS and > > authenticate with GSSAPI and query or set the password attribute > > directly. In Windows 2008, this no longer works; you always get > the > > error from the server that you are not permitted to negotiate a > privacy > > layer when using TLS, even though you're not trying to. We've > already > > filed this as a bug. > > > > Are there probably any news about a fix or a known workaround? > > The workaround is to use the password change protocol instead of using > LDAP. That's what we modified our code to do, since so far as I know > Microsoft still hasn't fixed this bug. (Their negotiation of GSSAPI > privacy layers in their LDAP implementation is oddly broken in ways > that > are apparently difficult to fix, leading the server to think that > you've > always negotiated a privacy layer even if you haven't. At least that's > my understanding of the problem.) > > -- > Russ Allbery ([email protected]) > <http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
