User-Visible krb5-sync Changes

krb5-sync 3.2 (unreleased)

Add a patch for Heimdal 7.4.0, contributed by Patrik Lundin.

krb5-sync 3.1 (2015-08-18)

In krb5-sync-backend silent mode, fix the ignore regex for missing users and report unsuppressed errors properly with an ending newline.

Update to rra-c-util 5.8:

Update to C TAP Harness 3.4:

krb5-sync 3.0 (2013-12-09)

The default installed module name has been changed to from, since the krb5 part is redundant in the Kerberos plugin context. This will require configuration changes for existing users to load the new plugin path name.

The meaning of the ad_ldap_base configuration option has changed, and it's now mandatory for status synchronization. This setting should now contain the full DN of the tree in Active Directory where account information is stored (such as cn=Accounts,dc=example,dc=com). Previously, the dc components should be omitted and were derived from the realm; this is no longer done. If this configuration option is not set, principal status will not be synchronized to Active Directory.

Drop support for MIT Kerberos versions prior to 1.9. All major distributions are now shipping with a newer version of MIT Kerberos than this, and supporting older versions requires supporting patches and maintaining handicapped internal APIs. MIT Kerberos 1.9 and later do not require patches to use this module. Patches for Heimdal are still provided.

Add a new string krb5.conf option, ad_base_instance, which, if set, changes the way that password synchronization is handled. When this option is set, the password for the principal formed by appending that instance to a base principal is propagated to Active Directory as the password for the base principal. For example, if this is set to the string "windows", the password of the principal "user/windows" is propagated to Active Directory as the password for the principal "user" and password changes for the principal "user" are ignored. This special behavior only happens if "user/windows" exists in the local Kerberos KDC database; if not, password propagation for the principal "user" happens normally, just as if this option weren't set. This allows the Active Directory principal to be treated as an instance rather than a main account for specific users without affecting behavior for other users.

Add a new boolean krb5.conf option, ad_queue_only, which, if set to true, forces all changes to be queued even if there are no conflicting changes already queued. The changes can then be processed later with krb5-sync-backend. This can be useful if real-time updates to Active Directory cause performance issues in kadmind or kpasswdd. kpasswd clients in particular are often intolerant of delays.

Add a new boolean krb5.conf option, syslog, which can be set to false to suppress syslog logging of the actions taken by the plugin and error messages leading to queuing the change. Always log the error that leads to queuing a status change.

Any time an Active Directory password change fails, queue the change instead of failing it, rather than trying to distinguish between local errors that should fail the change and errors that should be queued. The previous logic was very Stanford-specific.

krb5-sync-backend now requires the IPC::Run and Net::Remctl::Backend modules be installed. The former is available from CPAN, and the latter is available from the remctl package (version 3.4 or later).

krb5-sync-backend supports a new flag, -d, which specifies the location of the queue directory, changing the default of /var/spool/krb5-sync.

When processing events in krb5-sync-backend, skip event files which no longer exist by the time we get to them. This makes krb5-sync-backend more robust against multiple copies running at the same time.

Update to rra-c-util 4.12:

Update to C TAP Harness 2.3:

krb5-sync 2.3 (2012-09-18)

When handling password changes from MIT Kerberos, quietly ignore changes where the password is NULL. These are key randomizations, such as from addprinc -randkey, which this module inherently can't do anything with.

The plugin is now installed in a kadm5_hook subdirectory under krb5/plugins (under libdir in turn), matching the plugin layout used by MIT Kerberos.

When krb5-sync-backend is running in silent mode, ignore "Operation not permitted" errors from krb5_set_password. Heimdal 1.5.2 returns this error from Active Directory when attempting to change the password of an account that does not exist.

Properly pass Kerberos preprocessor flags to the compiler when building the plugin.

Update to rra-c-util 4.6:

Update to C TAP Harness 1.12:

krb5-sync 2.2 (2012-01-10)

The name of the plugin is now instead of and is installed under /usr/local/lib/krb5/plugins by default. The KDC configuration for the name of the module to load will need to change accordingly.

Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9. With that version and later, no patch to MIT Kerberos is required to use this code. Thanks to Sam Hartman for the patch.

Current MIT Kerberos calls the password change hook with a NULL password in the -randkey case, which neither the module nor the patch were prepared to handle. Pass a password of NULL and a length of 0 from the MIT patch to the plugin in this case and, for now, quietly skip -randkey key changes in the plugin since we cannot currently do anything sensible with them. Thanks, Dominic Hargreaves.

krb5-sync-backend's password command now accepts the password on standard input in addition to accepting it as a command-line parameter. This is more secure since the password is not exposed to other users of the same system.

In krb5-sync, diagnose an incomplete krb5.conf configuration and report an error indicating the missing setting rather than segfaulting.

Fix the program name used by the plugin to load initial credential default flags on Heimdal to be krb5-sync, not k5start.

Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the distribution. This has not been used at Stanford for years and is old enough that it's unlikely to be of interest to others.

Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to configure to specify the locations of the OpenLDAP libraries if they're not on the standard search path.

Add a basic test suite framework. This currently only tests documentation and low-level supporting libraries.

Update to rra-c-util 4.1:

krb5-sync 2.1 (2010-08-26)

Queue password changes on any failure to change the password in Active Directory, rather than only on failures returned as an error in the password change protocol. Heimdal 1.3.2 will return an error about a missing service location plugin instead of the last error from Active Directory, causing the plugin to fail the whole password change rather than queuing it as intended for unknown users.

Fix suppression of some error messages in krb5-sync-backend when the -s flag was given. This was broken by adding the krb5-sync: prefix to error messages from krb5-sync.

Suppress the Heimdal service_locator plugin error message in krb5-sync-backend when the -s flag was given.

Add a version of the krb5-sync patch for MIT Kerberos 1.8.3. This is a simple forward-port of the 1.4.4 patch and doesn't use any of the new plugin capabilities or configuration. Thanks to Sam Hartman for the port.

The Active Directory status manipulation code no longer uses deprecated OpenLDAP library functions.

Update to rra-c-util 2.6:

krb5-sync 2.0 (2010-02-15)

Dropped support for AFS synchronization and all Kerberos v4 support. This package now only synchronizes with Active Directory.

Add plugin support for the proposed kadmin hooks for Heimdal and ported the code to Heimdal as well as MIT Kerberos. Add a patch for Heimdal 1.3.1 to the patches directory. The implementation for Heimdal is preliminary and will change in later releases.

Add an ad_ldap_base configuration option to specify the base DN for Active Directory. Patch from Andreas Johansson.

Ignore connection timeouts from AD when running the queue with krb5-sync-backend in silent mode.

Improve error reporting in the standalone krb5-sync utility.

Enable Automake silent rules. For a quieter build, pass the --enable-silent-rules option to configure or build with make V=0.

Add portability code for platforms without a working snprintf or other deficiencies and updated the code to take advantage of those guarantees.

Update Kerberos Autoconf macros from rra-c-util 2.3:

krb5-sync 1.2 (2007-12-25)

Don't call rx_Finalize after every synchronization with an AFS kaserver. This isn't correct and leaks threads. Only call rx_Finalize when shutting down the entire module.

The AFS synchronization code is now only built if requested using the --with-afs flag to configure, allowing the package to be built at sites that don't use AFS.

Add the purge command to krb5-sync-backend, which removes all queued actions last modified more than some number of days in the past.

Use the new Kerberos error message APIs to retrieve error messages, giving more complete errors in current versions of Kerberos. This is also necessary in the long run for Heimdal support, although the package in general doesn't support Heimdal yet.

krb5-sync 1.1 (2007-08-27)

MIT Kerberos kadmind (at least in 1.4.4) doesn't always nul-terminate principal instances when processing kpasswd requests. The instance verification also didn't correctly handle some combinations of allowed instances. Rewrite the check routine to cope with all of these issues.

krb5-sync 1.0 (2007-08-13)

Add a new option to krb5-sync-backend to tell process to filter out successful messages from krb5-sync and common errors that mean the account doesn't exist in Active Directory. Also add support for the -h flag.

Fix the logging output from Active Directory account status changes to not append the realm twice.

Send krb5-sync logging to LOG_AUTH instead of LOG_AUTHPRIV to really match what kadmind does.

krb5-sync 0.7 (2007-08-07)

Log a message to syslog from the plugin when password changes fail and we have to queue. Otherwise, when the queuing is successful, we never log the original error.

Work around the behavior of MIT Kerberos's Kerberos v4 compat libraries that left garbage in the instance field after parsing an unqualified principal with no instance. Only of interest to users doing AFS password propagation.

Log krb5-sync operations to LOG_AUTHPRIV (LOG_AUTH if that doesn't exist) so that they go to the same place as the kadmind logs do by default.

Rename the provided patch to document that it only applies over top of the krb5-strength patches and provide a patch that applies to a stock MIT Kerberos 1.4.4 tree.

krb5-sync 0.6 (2007-07-13)

Add support for propagating selected non-empty instances into the AFS and Active Directory environments rather than ignoring all principals with non-empty instances.

Fix the Active Directory password change component to not overwrite the realm of the principal passed from kadmind so that logging of AFS password change attempts will contain the local realm instead of the AD realm.

When enabling or disabling accounts in Active Directory, look them up by userPrincipalName instead of sAMAccountName.

Correctly strip the realm for queuing even for principals containing escaped @ characters.

Add Active Directory configuration instructions. Thanks, Ross Wilper.

krb5-sync 0.5 (2007-03-22)

Obtain new AFS tokens for each operation rather than reusing the existing token since ka_GetAdminToken isn't smart enough to realize that the old token has expired.

Queue AD password changes rather than rejecting the change if the error message from the password change may indicate that the user doesn't exist in AD.

Queue AD password changes if there is already an AD password change queued rather than rejecting the change.

Include the username in status messages from the krb5-sync command-line utility.

krb5-sync 0.4 (2007-01-23)

The krb5-sync command-line utility now supports taking its actions from a file instead of the command-line. Those queue files can also specify changing the password only in Active Directory or only in an AFS kaserver.

The plugin will now queue account status changes and AFS password changes if making the change fails or if a change of that type is already queued for that account.

Add a new Perl script, krb5-sync-backend, which supports listing and processing the queue and queuing particular changes.

krb5-sync 0.3 (2007-01-05)

First publicly released version. Includes a patch for MIT Kerberos 1.4.4, a plugin that can synchronize passwords to one Active Directory realm and/or one AFS kaserver realm and enabled flag changes to one Active Directory realm, and command-line utilities to perform the same actions as the plugin.

Converted to XHTML by faq2html version 1.36