krb5-sync 2.2 released

Russ Allbery rra at
Wed Jan 11 18:01:12 EST 2012

I'm pleased to announce release 2.2 of krb5-sync.

krb5-sync is a toolkit for synchronizing passwords and account status from
an MIT or Heimdal Kerberos master KDC to Active Directory.  Password
changes are done via the Kerberos password change protocol, and account
status is updated via LDAP.  It provides a plugin for the kadmin libraries
and supporting command-line utilities, as well as a patch for Heimdal and
older versions of MIT Kerberos to add plugin support.

Changes from previous release:

    The name of the plugin is now instead of
    and is installed under /usr/local/lib/krb5/plugins by default.  The
    KDC configuration for the name of the module to load will need to
    change accordingly.

    Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9.
    With that version and later, no patch to MIT Kerberos is required to
    use this code.  Thanks to Sam Hartman for the patch.

    Current MIT Kerberos calls the password change hook with a NULL
    password in the -randkey case, which neither the module nor the patch
    were prepared to handle.  Pass a password of NULL and a length of 0
    from the MIT patch to the plugin in this case and, for now, quietly
    skip -randkey key changes in the plugin since we cannot currently do
    anything sensible with them.  Thanks, Dominic Hargreaves.

    krb5-sync-backend's password command now accepts the password on
    standard input in addition to accepting it as a command-line
    parameter.  This is more secure since the password is not exposed to
    other users of the same system.

    In krb5-sync, diagnose an incomplete krb5.conf configuration and
    report an error indicating the missing setting rather than

    Fix the program name used by the plugin to load initial credential
    default flags on Heimdal to be krb5-sync, not k5start.

    Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
    distribution.  This has not been used at Stanford for years and is old
    enough that it's unlikely to be of interest to others.

    Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to
    configure to specify the locations of the OpenLDAP libraries if
    they're not on the standard search path.

    Add a basic test suite framework.  This currently only tests
    documentation and low-level supporting libraries.

    Update to rra-c-util 4.1:

    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Kerberos probes no longer assume transitive library dependencies.
    * Fix removal of /usr/include from Kerberos CPPFLAGS.
    * Include strings.h where present for more POSIX string functions.
    * Avoid passing a NULL context to krb5_get_error_message.
    * Fix a data type issue in the messages utility library.
    * Fix incorrect __attribute notations in the utility library.
    * Add replacement for a missing strndup (such as on Mac OS X).
    * Add krb5_appdefault_* replacement for AIX's bundled Kerberos.
    * Add notices to all files copied from rra-c-util.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list