NEWS 16.2 KB
Newer Older
Russ Allbery's avatar
Russ Allbery committed
1 2
                      User-Visible krb5-sync Changes

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 3.1 (2015-08-18)

5 6 7
    In krb5-sync-backend silent mode, fix the ignore regex for missing
    users and report unsuppressed errors properly with an ending newline.

8 9 10 11 12 13
    Update to rra-c-util 5.8:

    * Support the Solaris 10 embedded Kerberos implementation.
    * Use calloc or reallocarray instead of malloc.
    * Fix compilation with a C++ compiler.

    Update to C TAP Harness 3.4:
15 16 17 18 19

    * Display verbose test results with -v or C_TAP_VERBOSE.
    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 3.0 (2013-12-09)

22 23 24 25 26
    The default installed module name has been changed to from, since the krb5 part is redundant in the Kerberos plugin
    context.  This will require configuration changes for existing users
    to load the new plugin path name.

27 28 29 30 31 32 33 34
    The meaning of the ad_ldap_base configuration option has changed, and
    it's now mandatory for status synchronization.  This setting should
    now contain the full DN of the tree in Active Directory where account
    information is stored (such as cn=Accounts,dc=example,dc=com).
    Previously, the dc components should be omitted and were derived from
    the realm; this is no longer done.  If this configuration option is
    not set, principal status will not be synchronized to Active

36 37 38 39 40 41 42
    Drop support for MIT Kerberos versions prior to 1.9.  All major
    distributions are now shipping with a newer version of MIT Kerberos
    than this, and supporting older versions requires supporting patches
    and maintaining handicapped internal APIs.  MIT Kerberos 1.9 and later
    do not require patches to use this module.  Patches for Heimdal are
    still provided.

    Add a new string krb5.conf option, ad_base_instance, which, if set,
44 45
    changes the way that password synchronization is handled.  When this
    option is set, the password for the principal formed by appending that
    instance to a base principal is propagated to Active Directory as the
47 48
    password for the base principal.  For example, if this is set to the
    string "windows", the password of the principal "user/windows" is
49 50 51 52 53 54 55 56 57
    propagated to Active Directory as the password for the principal
    "user" and password changes for the principal "user" are ignored.
    This special behavior only happens if "user/windows" exists in the
    local Kerberos KDC database; if not, password propagation for the
    principal "user" happens normally, just as if this option weren't set.
    This allows the Active Directory principal to be treated as an
    instance rather than a main account for specific users without
    affecting behavior for other users.

58 59 60 61 62 63 64
    Add a new boolean krb5.conf option, ad_queue_only, which, if set to
    true, forces all changes to be queued even if there are no conflicting
    changes already queued.  The changes can then be processed later with
    krb5-sync-backend.  This can be useful if real-time updates to Active
    Directory cause performance issues in kadmind or kpasswdd.  kpasswd
    clients in particular are often intolerant of delays.

65 66 67 68 69
    Add a new boolean krb5.conf option, syslog, which can be set to false
    to suppress syslog logging of the actions taken by the plugin and
    error messages leading to queuing the change.  Always log the error
    that leads to queuing a status change.

70 71 72 73 74
    Any time an Active Directory password change fails, queue the change
    instead of failing it, rather than trying to distinguish between local
    errors that should fail the change and errors that should be queued.
    The previous logic was very Stanford-specific.

75 76 77 78
    krb5-sync-backend now requires the IPC::Run and Net::Remctl::Backend
    modules be installed.  The former is available from CPAN, and the
    latter is available from the remctl package (version 3.4 or later).

79 80 81 82
    krb5-sync-backend supports a new flag, -d, which specifies the
    location of the queue directory, changing the default of

83 84 85 86
    When processing events in krb5-sync-backend, skip event files which no
    longer exist by the time we get to them.  This makes krb5-sync-backend
    more robust against multiple copies running at the same time.

87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
    Update to rra-c-util 4.12:

    * Better error messages from xasprintf on failure to format output.
    * Check return status of vsnprintf properly.
    * Significant improvements to POD tests.
    * Avoid leaking a dummy symbol from the portability layer.
    * Probe for Kerberos headers with file existence checks.

    Update to C TAP Harness 2.3:

    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.
    * bail and sysbail now exit with status 255 to match Test::More.
    * Suppress lazy plans and test summaries if the test failed with bail.
    * Add warn_unused_result gcc attributes to relevant functions.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 2.3 (2012-09-18)

108 109 110 111 112
    When handling password changes from MIT Kerberos, quietly ignore
    changes where the password is NULL.  These are key randomizations,
    such as from addprinc -randkey, which this module inherently can't do
    anything with.

113 114 115 116
    The plugin is now installed in a kadm5_hook subdirectory under
    krb5/plugins (under libdir in turn), matching the plugin layout used
    by MIT Kerberos.

117 118 119 120 121
    When krb5-sync-backend is running in silent mode, ignore "Operation
    not permitted" errors from krb5_set_password.  Heimdal 1.5.2 returns
    this error from Active Directory when attempting to change the
    password of an account that does not exist.

122 123 124
    Properly pass Kerberos preprocessor flags to the compiler when
    building the plugin.

125 126 127 128 129 130 131 132 133 134 135 136 137 138 139
    Update to rra-c-util 4.6:

    * Pass --deps to krb5-config except with --enable-reduced-depends.
    * Do not assume string is nul-terminated in replacement strdup.
    * Avoid using local in the shell TAP library for Solaris portability.
    * Silence __attribute__ warnings on more compilers.

    Update to C TAP Harness 1.12:

    * Suppress plan and summary if bail is called before any tests run.
    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell library.
    * Silence __attribute__ warnings on more compilers.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 2.2 (2012-01-10)

142 143 144 145 146
    The name of the plugin is now instead of
    and is installed under /usr/local/lib/krb5/plugins by default.  The
    KDC configuration for the name of the module to load will need to
    change accordingly.

147 148 149 150
    Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9.
    With that version and later, no patch to MIT Kerberos is required to
    use this code.  Thanks to Sam Hartman for the patch.

    Current MIT Kerberos calls the password change hook with a NULL
152 153 154 155 156
    password in the -randkey case, which neither the module nor the patch
    were prepared to handle.  Pass a password of NULL and a length of 0
    from the MIT patch to the plugin in this case and, for now, quietly
    skip -randkey key changes in the plugin since we cannot currently do
    anything sensible with them.  Thanks, Dominic Hargreaves.

158 159 160 161 162
    krb5-sync-backend's password command now accepts the password on
    standard input in addition to accepting it as a command-line
    parameter.  This is more secure since the password is not exposed to
    other users of the same system.

163 164 165 166
    In krb5-sync, diagnose an incomplete krb5.conf configuration and
    report an error indicating the missing setting rather than

167 168 169
    Fix the program name used by the plugin to load initial credential
    default flags on Heimdal to be krb5-sync, not k5start.

170 171 172 173
    Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
    distribution.  This has not been used at Stanford for years and is old
    enough that it's unlikely to be of interest to others.

174 175 176 177
    Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to
    configure to specify the locations of the OpenLDAP libraries if
    they're not on the standard search path.

178 179 180
    Add a basic test suite framework.  This currently only tests
    documentation and low-level supporting libraries.

Russ Allbery's avatar
Russ Allbery committed
181 182 183 184 185 186 187 188 189 190
    Update to rra-c-util 4.1:

    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Kerberos probes no longer assume transitive library dependencies.
    * Fix removal of /usr/include from Kerberos CPPFLAGS.
    * Include strings.h where present for more POSIX string functions.
    * Avoid passing a NULL context to krb5_get_error_message.
    * Fix a data type issue in the messages utility library.
    * Fix incorrect __attribute notations in the utility library.
    * Add replacement for a missing strndup (such as on Mac OS X).
    * Add krb5_appdefault_* replacement for AIX's bundled Kerberos.
Russ Allbery's avatar
Russ Allbery committed
192 193
    * Add notices to all files copied from rra-c-util.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 2.1 (2010-08-26)
195 196 197 198 199 200 201 202

    Queue password changes on any failure to change the password in Active
    Directory, rather than only on failures returned as an error in the
    password change protocol.  Heimdal 1.3.2 will return an error about a
    missing service location plugin instead of the last error from Active
    Directory, causing the plugin to fail the whole password change rather
    than queuing it as intended for unknown users.

203 204 205 206 207 208 209
    Fix suppression of some error messages in krb5-sync-backend when the
    -s flag was given.  This was broken by adding the krb5-sync: prefix to
    error messages from krb5-sync.

    Suppress the Heimdal service_locator plugin error message in
    krb5-sync-backend when the -s flag was given.

210 211 212 213 214
    Add a version of the krb5-sync patch for MIT Kerberos 1.8.3.  This is
    a simple forward-port of the 1.4.4 patch and doesn't use any of the
    new plugin capabilities or configuration.  Thanks to Sam Hartman for
    the port.

215 216 217
    The Active Directory status manipulation code no longer uses
    deprecated OpenLDAP library functions.

Russ Allbery's avatar
Russ Allbery committed
218 219 220 221 222
    Update to rra-c-util 2.6:

    * Fix portability to bundled Heimdal on OpenBSD.
    * Fix portability for missing krb5_get_init_creds_opt_free.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 2.0 (2010-02-15)
224 225 226

    Dropped support for AFS synchronization and all Kerberos v4 support.
    This package now only synchronizes with Active Directory.

    Add plugin support for the proposed kadmin hooks for Heimdal and
    ported the code to Heimdal as well as MIT Kerberos.  Add a patch for
230 231
    Heimdal 1.3.1 to the patches directory.  The implementation for
    Heimdal is preliminary and will change in later releases.

233 234 235
    Add an ad_ldap_base configuration option to specify the base DN for
    Active Directory.  Patch from Andreas Johansson.

236 237 238
    Ignore connection timeouts from AD when running the queue with
    krb5-sync-backend in silent mode.

239 240
    Improve error reporting in the standalone krb5-sync utility.

241 242 243
    Enable Automake silent rules.  For a quieter build, pass the
    --enable-silent-rules option to configure or build with make V=0.

244 245 246 247
    Add portability code for platforms without a working snprintf or other
    deficiencies and updated the code to take advantage of those

248 249 250 251 252 253 254 255 256
    Update Kerberos Autoconf macros from rra-c-util 2.3:

    * Check for networking libraries before Kerberos libraries.
    * Sanity-check the results of krb5-config before proceeding.
    * Fall back on manual probing if krb5-config doesn't work.
    * Prefer KRB5_CONFIG from the environment.
    * If krb5-config isn't executable, don't use it.
    * Add --with-krb5-lib and --with-krb5-include configure options.

krb5-sync 1.2 (2007-12-25)
258 259 260 261 262

    Don't call rx_Finalize after every synchronization with an AFS
    kaserver.  This isn't correct and leaks threads.  Only call
    rx_Finalize when shutting down the entire module.

263 264 265 266
    The AFS synchronization code is now only built if requested using the
    --with-afs flag to configure, allowing the package to be built at
    sites that don't use AFS.

267 268 269
    Add the purge command to krb5-sync-backend, which removes all queued
    actions last modified more than some number of days in the past.

270 271 272 273 274
    Use the new Kerberos error message APIs to retrieve error messages,
    giving more complete errors in current versions of Kerberos.  This is
    also necessary in the long run for Heimdal support, although the
    package in general doesn't support Heimdal yet.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 1.1 (2007-08-27)
276 277 278 279 280 281 282

    MIT Kerberos kadmind (at least in 1.4.4) doesn't always nul-terminate
    principal instances when processing kpasswd requests.  The instance
    verification also didn't correctly handle some combinations of
    allowed instances.  Rewrite the check routine to cope with all of
    these issues.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 1.0 (2007-08-13)

285 286 287 288 289
    Add a new option to krb5-sync-backend to tell process to filter out
    successful messages from krb5-sync and common errors that mean the
    account doesn't exist in Active Directory.  Also add support for the
    -h flag.

290 291 292
    Fix the logging output from Active Directory account status changes
    to not append the realm twice.

293 294 295
    Send krb5-sync logging to LOG_AUTH instead of LOG_AUTHPRIV to
    really match what kadmind does.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 0.7 (2007-08-07)

298 299 300 301
    Log a message to syslog from the plugin when password changes fail
    and we have to queue.  Otherwise, when the queuing is successful,
    we never log the original error.

302 303 304 305 306
    Work around the behavior of MIT Kerberos's Kerberos v4 compat
    libraries that left garbage in the instance field after parsing an
    unqualified principal with no instance.  Only of interest to users
    doing AFS password propagation.

307 308 309 310
    Log krb5-sync operations to LOG_AUTHPRIV (LOG_AUTH if that doesn't
    exist) so that they go to the same place as the kadmind logs do by

311 312 313 314
    Rename the provided patch to document that it only applies over top
    of the krb5-strength patches and provide a patch that applies to a
    stock MIT Kerberos 1.4.4 tree.

krb5-sync 0.6 (2007-07-13)

317 318
    Add support for propagating selected non-empty instances into the AFS
    and Active Directory environments rather than ignoring all principals
319 320 321 322 323 324 325 326 327 328 329 330
    with non-empty instances.

    Fix the Active Directory password change component to not overwrite
    the realm of the principal passed from kadmind so that logging of AFS
    password change attempts will contain the local realm instead of the
    AD realm.

    When enabling or disabling accounts in Active Directory, look them up
    by userPrincipalName instead of sAMAccountName.

    Correctly strip the realm for queuing even for principals containing
    escaped @ characters.

332 333 334
    Add Active Directory configuration instructions.  Thanks, Ross

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 0.5 (2007-03-22)

337 338 339 340
    Obtain new AFS tokens for each operation rather than reusing the
    existing token since ka_GetAdminToken isn't smart enough to realize
    that the old token has expired.

341 342 343 344 345 346 347
    Queue AD password changes rather than rejecting the change if the
    error message from the password change may indicate that the user
    doesn't exist in AD.

    Queue AD password changes if there is already an AD password change
    queued rather than rejecting the change.

348 349 350
    Include the username in status messages from the krb5-sync
    command-line utility.

krb5-sync 0.4 (2007-01-23)
352 353 354 355 356 357

    The krb5-sync command-line utility now supports taking its actions
    from a file instead of the command-line.  Those queue files can also
    specify changing the password only in Active Directory or only in an
    AFS kaserver.

Russ Allbery's avatar
Russ Allbery committed
358 359 360 361 362 363 364
    The plugin will now queue account status changes and AFS password
    changes if making the change fails or if a change of that type is
    already queued for that account.

    Add a new Perl script, krb5-sync-backend, which supports listing and
    processing the queue and queuing particular changes.

Russ Allbery's avatar
Russ Allbery committed
krb5-sync 0.3 (2007-01-05)
Russ Allbery's avatar
Russ Allbery committed
366 367 368 369 370 371 372

    First publicly released version.  Includes a patch for MIT Kerberos
    1.4.4, a plugin that can synchronize passwords to one Active Directory
    realm and/or one AFS kaserver realm and enabled flag changes to one
    Active Directory realm, and command-line utilities to perform the same
    actions as the plugin.