krb5-sync 3.0 released
eagle at eyrie.org
Tue Dec 10 02:43:08 EST 2013
I'm pleased to announce release 3.0 of krb5-sync.
krb5-sync is a toolkit for synchronizing passwords and account status from
an MIT or Heimdal Kerberos master KDC to Active Directory. Password
changes are done via the Kerberos password change protocol, and account
status is updated via LDAP. It provides a plugin for the kadmin libraries
and supporting command-line utilities, as well as a patch for Heimdal to
add plugin support.
Changes from previous release:
The default installed module name has been changed to sync.so from
krb5_sync.so, since the krb5 part is redundant in the Kerberos plugin
context. This will require configuration changes for existing users
to load the new plugin path name.
The meaning of the ad_ldap_base configuration option has changed, and
it's now mandatory for status synchronization. This setting should
now contain the full DN of the tree in Active Directory where account
information is stored (such as cn=Accounts,dc=example,dc=com).
Previously, the dc components should be omitted and were derived from
the realm; this is no longer done. If this configuration option is
not set, principal status will not be synchronized to Active
Drop support for MIT Kerberos versions prior to 1.9. All major
distributions are now shipping with a newer version of MIT Kerberos
than this, and supporting older versions requires supporting patches
and maintaining handicapped internal APIs. MIT Kerberos 1.9 and later
do not require patches to use this module. Patches for Heimdal are
Add a new string krb5.conf option, ad_base_instance, which, if set,
changes the way that password synchronization is handled. When this
option is set, the password for the principal formed by appending that
instance to a base principal is propagated to Active Directory as the
password for the base principal. For example, if this is set to the
string "windows", the password of the principal "user/windows" is
propagated to Active Directory as the password for the principal
"user" and password changes for the principal "user" are ignored.
This special behavior only happens if "user/windows" exists in the
local Kerberos KDC database; if not, password propagation for the
principal "user" happens normally, just as if this option weren't set.
This allows the Active Directory principal to be treated as an
instance rather than a main account for specific users without
affecting behavior for other users.
Add a new boolean krb5.conf option, ad_queue_only, which, if set to
true, forces all changes to be queued even if there are no conflicting
changes already queued. The changes can then be processed later with
krb5-sync-backend. This can be useful if real-time updates to Active
Directory cause performance issues in kadmind or kpasswdd. kpasswd
clients in particular are often intolerant of delays.
Add a new boolean krb5.conf option, syslog, which can be set to false
to suppress syslog logging of the actions taken by the plugin and
error messages leading to queuing the change. Always log the error
that leads to queuing a status change.
Any time an Active Directory password change fails, queue the change
instead of failing it, rather than trying to distinguish between local
errors that should fail the change and errors that should be queued.
The previous logic was very Stanford-specific.
krb5-sync-backend now requires the IPC::Run and Net::Remctl::Backend
modules be installed. The former is available from CPAN, and the
latter is available from the remctl package (version 3.4 or later).
krb5-sync-backend supports a new flag, -d, which specifies the
location of the queue directory, changing the default of
When processing events in krb5-sync-backend, skip event files which no
longer exist by the time we get to them. This makes krb5-sync-backend
more robust against multiple copies running at the same time.
Update to rra-c-util 4.12:
* Better error messages from xasprintf on failure to format output.
* Check return status of vsnprintf properly.
* Significant improvements to POD tests.
* Avoid leaking a dummy symbol from the portability layer.
* Probe for Kerberos headers with file existence checks.
Update to C TAP Harness 2.3:
* runtests now treats the command line as a list of tests by default.
* The full test executable path can now be passed to runtests -o.
* Improved harness output for tests with lazy plans.
* Improved harness output to a terminal for some abort cases.
* Flush harness output after each test even when not on a terminal.
* bail and sysbail now exit with status 255 to match Test::More.
* Suppress lazy plans and test summaries if the test failed with bail.
* Add warn_unused_result gcc attributes to relevant functions.
You can download it from:
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos