(Synchronize passwords and status with Active Directory)


krb5-sync [-d | -e] [-p password] user

krb5-sync -f file


krb5-sync provides a command-line interface to the same functions provided by the password and status synchronization plugin. It can push a new password to Active Directory (actually, to any password store that supports the Kerberos set-password protocol) or activate or deactivate an account in Active Directory.

To synchronize passwords, provide the -p option and specify the password. Note that the password is given on the command line and must be quoted if it contains special characters, and the password will be exposed to any other users on the system where this command is run. This is useful primarily for testing and should not be used with production passwords. Synchronization to Active Directory will be attempted based on the configuration in krb5.conf (see below).

To enable or disable an account, provide the -e or -d option respectively. These options can also be provided in conjunction with the -p option to take both actions at once.

In either case, user should be the principal name for which these actions should be taken. user may be either unqualified or in the local realm; either way, the Active Directory realm in which to make changes will be taken from the krb5.conf configuration.

Alternately, krb5-sync also supports processing actions from a file. To do this, use the -f flag and give the file on the command line. The format of the file should be as follows:

    password | enable | disable

where the fourth line is present only if the <action> is password. <account> should be the unqualified name of the account. The second line should be the string ad to push the change to Windows Active Directory. The third line should be one of password, enable, or disable, corresponding to the -p, -e, and -d options respectively. The enable and disable actions are only supported for AD.

The file format is not particularly forgiving. In particular, all of the keywords are case-sensitive and there must not be any whitespace at the beginning or end of the lines (except in the password, and only if that whitespace is part of the password), just a single newline terminating each line.

When the -f option is given, the file will be deleted if the action was successful but left alone if the action failed.

The configuration block in krb5.conf should look something like this:

    krb5-sync = {
        ad_keytab       = /etc/krb5kdc/ad-keytab
        ad_principal    = service/sync@WINDOWS.EXAMPLE.COM
        ad_realm        = WINDOWS.EXAMPLE.COM
        ad_admin_server =
        ad_ldap_base    = ou=People

If the configuration required for an action is not given, that action will not be performed but will apparently succeed from the perspective of the krb5-sync utility. Therefore, if this utility reports success but no change is happening, double-check the configuration to ensure that all required options are present.

The ad_keytab option specifies the location of a keytab for authenticating to the other realm, the ad_principal option specifies the principal to authenticate as (using the key in the keytab), and the ad_realm option specifies the foreign realm. ad_admin_server is the host to contact via LDAP to push account status changes. ad_ldap_base specifies the base tree inside Active Directory where account information is stored. Omit the trailing dc= part; it will be added automatically from ad_realm.

Be aware that the ad_instances, ad_base_instance, and ad_queue_only configuration options that are used by the krb5-sync plugin are ignored by krb5-sync. The krb5-sync command will push changes to whatever principal it was given, regardless of the normal limits on instances, and does not do any of the principal remapping configured with ad_base_instance.



Disable the specified user in Active Directory. Requires that all of the ad_* options be set in krb5.conf. This option may not be specified at the same time as -e.


Enable the specified user in Active Directory. Requires that all of the ad_* options be set in krb5.conf. This option may not be specified at the same time as -e.

-f file

Rather than perform a particular action based on a username given on the command line, read a queue file and take action based on it. The format of the queue file is described above. If the action fails, the file will be left alone. If the action succeeds, the file will be deleted.

-p password

Change the user's password to password in Active Directory.


Disable the account "jdoe" in Active Directory (using the AD configuration found in krb5.conf):

    krb5-sync -d jdoe

Change the password of the account testuser in Active Directory to changeme:

    krb5-sync -p changeme testuser@EXAMPLE.COM

The same, except also enable the account in Active Directory:

    krb5-sync -e -p changeme testuser

Note that the realm for the user given on the command line is optional and ignored.

Given a file named jdoe-ad-1168560492 containing:


the command:

    krb5-sync -f jdoe-ad-1168560492

will change jdoe's password to changeme in Active Directory and then delete the file.


The current version of this program is available from its web page at <>.


Russ Allbery <>


Copyright 2007, 2008, 2010, 2012 The Board of Trustees of the Leland Stanford Junior University

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.

Last spun 2022-02-06 from POD modified 2014-04-13