krb5-sync 1.2 released

[Matthew Andrews]

Russ Allbery wrote:
> I'm pleased to announce release 1.2 of krb5-sync.
> 

has anyone attempted to use the patch included in this with newer MIT 
kerberos releases? I'm particularly interested in 1.6.1 with RHEL5 
patches, but if someone has tried this with a similar vintage krb5 I'd 
expect it to be helpful.

I have tried applying the patch as is, and 3 pieces of the patch 
immediately fail(I've yet to try and determine if the rest of the chunks 
that apply are actually correct.)

1) src/lib/kadm5/configure.in does not exist in 1.6.1. the patch seems 
to be adding checks for dlopen:

--- krb5-1.4.4/src/lib/kadm5/configure.in       2004-02-12 
19:19:30.000000000 -0
800
+++ krb5-1.4.4-patched/src/lib/kadm5/configure.in       2007-07-29 
19:12:55.0000
00000 -0700
@@ -10,10 +10,12 @@
  AC_CHECK_PROG(RUNTEST,runtest,runtest)
  AC_CHECK_PROG(PERL,perl,perl)
  AC_CHECK_FUNCS(srand48 srand srandom)
+AC_CHECK_LIB(dl, dlopen, DL_LIB=-ldl)
  AC_KRB5_TCL
  if test "$PERL" = perl -a "$RUNTEST" = runtest -a "$TCL_LIBS" != ""; then
         DO_TEST=ok
  fi
+AC_SUBST(DL_LIB)
  AC_SUBST(DO_TEST)
  dnl
  KRB5_BUILD_LIBOBJS

I'm not sure if these autoconf rules need to be added to some higher 
level configure.{in,ac} or if they are already taken care of in 1.6.1.

2) in src/lib/kadm5/srv/server_init.c, the addition of the call to 
init_pwupdate() just before adb_policy_init() failed. It looks like 
sdb_policy_init is being called in a fairly different place now. Any 
hints on what the appropriate time to initialize this plugin is in 1.6.1?

3) finally the actual init_pwupdate function failed to get added to 
svr_principal.c, but I think that was just because the file was enough 
shorter than the 1.4.4 version, and that it can be added to the end of 
the file.


In any case, If anyone has any experience with this patch on newer krb5 
releases, or can make recommendations on how to remedy the failed patch 
elements listed above(particularly issues 1, and 2), your help would be 
much appreciated.

thanks,

-Matt Andrews



> krb5-sync is a toolkit for updating passwords and account status from an
> MIT Kerberos master KDC to Active Directory and/or an AFS kaserver.  It is
> implemented as a patch to kadmind and a plugin module that will push
> password changes and selected account flag changes to Active Directory or
> to a kaserver at the same time as they are made to the local KDC database.
> 
> Changes from previous release:
> 
>     Don't call rx_Finalize after every synchronization with an AFS
>     kaserver.  This isn't correct and leaks threads.  Only call
>     rx_Finalize when shutting down the entire module.
> 
>     The AFS synchronization code is now only built if requested using the
>     --with-afs flag to configure, allowing the package to be built at
>     sites that don't use AFS.
> 
>     Add the purge command to krb5-sync-backend, which removes all queued
>     actions last modified more than some number of days in the past.
> 
>     Use the new Kerberos error message APIs to retrieve error messages,
>     giving more complete errors in current versions of Kerberos.  This is
>     also necessary in the long run for Heimdal support, although the
>     package in general doesn't support Heimdal yet.
> 
> You can download it from:
> 
>     <http://www.eyrie.org/~eagle/software/krb5-sync/>
> 
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
>