                      User-Visible krb5-sync Changes

krb5-sync 2.2 (2012-01-10)

    The name of the plugin is now krb5_sync.so instead of passwd_update.so
    and is installed under /usr/local/lib/krb5/plugins by default.  The
    KDC configuration for the name of the module to load will need to
    change accordingly.

    Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9.
    With that version and later, no patch to MIT Kerberos is required to
    use this code.  Thanks to Sam Hartman for the patch.

    Current MIT Kerberos calls the password change hook with a NULL
    password in the -randkey case, which neither the module nor the patch
    were prepared to handle.  Pass a password of NULL and a length of 0
    from the MIT patch to the plugin in this case and, for now, quietly
    skip -randkey key changes in the plugin since we cannot currently do
    anything sensible with them.  Thanks, Dominic Hargreaves.

    krb5-sync-backend's password command now accepts the password on
    standard input in addition to accepting it as a command-line
    parameter.  This is more secure since the password is not exposed to
    other users of the same system.

    In krb5-sync, diagnose an incomplete krb5.conf configuration and
    report an error indicating the missing setting rather than
    segfaulting.

    Fix the program name used by the plugin to load initial credential
    default flags on Heimdal to be krb5-sync, not k5start.

    Remove the patch for Stanford's patched MIT Kerberos 1.4.4 from the
    distribution.  This has not been used at Stanford for years and is old
    enough that it's unlikely to be of interest to others.

    Add --with-ldap, --with-ldap-include, and --with-ldap-lib flags to
    configure to specify the locations of the OpenLDAP libraries if
    they're not on the standard search path.

    Add a basic test suite framework.  This currently only tests
    documentation and low-level supporting libraries.

    Update to rra-c-util 4.1:

    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Kerberos probes no longer assume transitive library dependencies.
    * Fix removal of /usr/include from Kerberos CPPFLAGS.
    * Include strings.h where present for more POSIX string functions.
    * Avoid passing a NULL context to krb5_get_error_message.
    * Fix a data type issue in the messages utility library.
    * Fix incorrect __attribute notations in the utility library.
    * Add replacement for a missing strndup (such as on Mac OS X).
    * Add krb5_appdefault_* replacement for AIX's bundled Kerberos.
    * Add notices to all files copied from rra-c-util.

krb5-sync 2.1 (2010-08-26)

    Queue password changes on any failure to change the password in Active
    Directory, rather than only on failures returned as an error in the
    password change protocol.  Heimdal 1.3.2 will return an error about a
    missing service location plugin instead of the last error from Active
    Directory, causing the plugin to fail the whole password change rather
    than queuing it as intended for unknown users.

    Fix suppression of some error messages in krb5-sync-backend when the
    -s flag was given.  This was broken by adding the krb5-sync: prefix to
    error messages from krb5-sync.

    Suppress the Heimdal service_locator plugin error message in
    krb5-sync-backend when the -s flag was given.

    Add a version of the krb5-sync patch for MIT Kerberos 1.8.3.  This is
    a simple forward-port of the 1.4.4 patch and doesn't use any of the
    new plugin capabilities or configuration.  Thanks to Sam Hartman for
    the port.

    The Active Directory status manipulation code no longer uses
    deprecated OpenLDAP library functions.

    Update to rra-c-util 2.6:

    * Fix portability to bundled Heimdal on OpenBSD.
    * Fix portability for missing krb5_get_init_creds_opt_free.

krb5-sync 2.0 (2010-02-15)

    Dropped support for AFS synchronization and all Kerberos v4 support.
    This package now only synchronizes with Active Directory.

    Add plugin support for the proposed kadmin hooks for Heimdal and
    ported the code to Heimdal as well as MIT Kerberos.  Add a patch for
    Heimdal 1.3.1 to the patches directory.  The implementation for
    Heimdal is preliminary and will change in later releases.

    Add an ad_ldap_base configuration option to specify the base DN for
    Active Directory.  Patch from Andreas Johansson.

    Ignore connection timeouts from AD when running the queue with
    krb5-sync-backend in silent mode.

    Improve error reporting in the standalone krb5-sync utility.

    Enable Automake silent rules.  For a quieter build, pass the
    --enable-silent-rules option to configure or build with make V=0.

    Add portability code for platforms without a working snprintf or other
    deficiencies and updated the code to take advantage of those
    guarantees.

    Update Kerberos Autoconf macros from rra-c-util 2.3:

    * Check for networking libraries before Kerberos libraries.
    * Sanity-check the results of krb5-config before proceeding.
    * Fall back on manual probing if krb5-config doesn't work.
    * Prefer KRB5_CONFIG from the environment.
    * If krb5-config isn't executable, don't use it.
    * Add --with-krb5-lib and --with-krb5-include configure options.

krb5-sync 1.2 (2007-12-25)

    Don't call rx_Finalize after every synchronization with an AFS
    kaserver.  This isn't correct and leaks threads.  Only call
    rx_Finalize when shutting down the entire module.

    The AFS synchronization code is now only built if requested using the
    --with-afs flag to configure, allowing the package to be built at
    sites that don't use AFS.

    Add the purge command to krb5-sync-backend, which removes all queued
    actions last modified more than some number of days in the past.

    Use the new Kerberos error message APIs to retrieve error messages,
    giving more complete errors in current versions of Kerberos.  This is
    also necessary in the long run for Heimdal support, although the
    package in general doesn't support Heimdal yet.

krb5-sync 1.1 (2007-08-27)

    MIT Kerberos kadmind (at least in 1.4.4) doesn't always nul-terminate
    principal instances when processing kpasswd requests.  The instance
    verification also didn't correctly handle some combinations of
    allowed instances.  Rewrite the check routine to cope with all of
    these issues.

krb5-sync 1.0 (2007-08-13)

    Add a new option to krb5-sync-backend to tell process to filter out
    successful messages from krb5-sync and common errors that mean the
    account doesn't exist in Active Directory.  Also add support for the
    -h flag.

    Fix the logging output from Active Directory account status changes
    to not append the realm twice.

    Send krb5-sync logging to LOG_AUTH instead of LOG_AUTHPRIV to
    really match what kadmind does.

krb5-sync 0.7 (2007-08-07)

    Log a message to syslog from the plugin when password changes fail
    and we have to queue.  Otherwise, when the queuing is successful,
    we never log the original error.

    Work around the behavior of MIT Kerberos's Kerberos v4 compat
    libraries that left garbage in the instance field after parsing an
    unqualified principal with no instance.  Only of interest to users
    doing AFS password propagation.

    Log krb5-sync operations to LOG_AUTHPRIV (LOG_AUTH if that doesn't
    exist) so that they go to the same place as the kadmind logs do by
    default.

    Rename the provided patch to document that it only applies over top
    of the krb5-strength patches and provide a patch that applies to a
    stock MIT Kerberos 1.4.4 tree.

krb5-sync 0.6 (2007-07-13)

    Add support for propagating selected non-empty instances into the AFS
    and Active Directory environments rather than ignoring all principals
    with non-empty instances.

    Fix the Active Directory password change component to not overwrite
    the realm of the principal passed from kadmind so that logging of AFS
    password change attempts will contain the local realm instead of the
    AD realm.

    When enabling or disabling accounts in Active Directory, look them up
    by userPrincipalName instead of sAMAccountName.

    Correctly strip the realm for queuing even for principals containing
    escaped @ characters.

    Add Active Directory configuration instructions.  Thanks, Ross
    Wilper.

krb5-sync 0.5 (2007-03-22)

    Obtain new AFS tokens for each operation rather than reusing the
    existing token since ka_GetAdminToken isn't smart enough to realize
    that the old token has expired.

    Queue AD password changes rather than rejecting the change if the
    error message from the password change may indicate that the user
    doesn't exist in AD.

    Queue AD password changes if there is already an AD password change
    queued rather than rejecting the change.

    Include the username in status messages from the krb5-sync
    command-line utility.

krb5-sync 0.4 (2007-01-23)

    The krb5-sync command-line utility now supports taking its actions
    from a file instead of the command-line.  Those queue files can also
    specify changing the password only in Active Directory or only in an
    AFS kaserver.

    The plugin will now queue account status changes and AFS password
    changes if making the change fails or if a change of that type is
    already queued for that account.

    Add a new Perl script, krb5-sync-backend, which supports listing and
    processing the queue and queuing particular changes.

krb5-sync 0.3 (2007-01-05)

    First publicly released version.  Includes a patch for MIT Kerberos
    1.4.4, a plugin that can synchronize passwords to one Active Directory
    realm and/or one AFS kaserver realm and enabled flag changes to one
    Active Directory realm, and command-line utilities to perform the same
    actions as the plugin.

