krb5-sync 2.2 released
rra at stanford.edu
Wed Jan 11 18:01:12 EST 2012
I'm pleased to announce release 2.2 of krb5-sync.
krb5-sync is a toolkit for synchronizing passwords and account status from
an MIT or Heimdal Kerberos master KDC to Active Directory. Password
changes are done via the Kerberos password change protocol, and account
status is updated via LDAP. It provides a plugin for the kadmin libraries
and supporting command-line utilities, as well as a patch for Heimdal and
older versions of MIT Kerberos to add plugin support.
Changes from previous release:
The name of the plugin is now krb5_sync.so instead of passwd_update.so
and is installed under /usr/local/lib/krb5/plugins by default. The
KDC configuration for the name of the module to load will need to
Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9.
With that version and later, no patch to MIT Kerberos is required to
use this code. Thanks to Sam Hartman for the patch.
Current MIT Kerberos calls the password change hook with a NULL
password in the -randkey case, which neither the module nor the patch
were prepared to handle. Pass a password of NULL and a length of 0
from the MIT patch to the plugin in this case and, for now, quietly
skip -randkey key changes in the plugin since we cannot currently do
anything sensible with them. Thanks, Dominic Hargreaves.
krb5-sync-backend's password command now accepts the password on
standard input in addition to accepting it as a command-line
parameter. This is more secure since the password is not exposed to
other users of the same system.
In krb5-sync, diagnose an incomplete krb5.conf configuration and
report an error indicating the missing setting rather than
Fix the program name used by the plugin to load initial credential
default flags on Heimdal to be krb5-sync, not k5start.
Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
distribution. This has not been used at Stanford for years and is old
enough that it's unlikely to be of interest to others.
Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to
configure to specify the locations of the OpenLDAP libraries if
they're not on the standard search path.
Add a basic test suite framework. This currently only tests
documentation and low-level supporting libraries.
Update to rra-c-util 4.1:
* Build on systems where krb5/krb5.h exists but krb5.h does not.
* Kerberos probes no longer assume transitive library dependencies.
* Fix removal of /usr/include from Kerberos CPPFLAGS.
* Include strings.h where present for more POSIX string functions.
* Avoid passing a NULL context to krb5_get_error_message.
* Fix a data type issue in the messages utility library.
* Fix incorrect __attribute notations in the utility library.
* Add replacement for a missing strndup (such as on Mac OS X).
* Add krb5_appdefault_* replacement for AIX's bundled Kerberos.
* Add notices to all files copied from rra-c-util.
You can download it from:
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos