I have a need to programmatically reset passwords in our MIT Kerberos
(1.4.4) realm from Windows (2003 R2), authenticating with a "/admin"
account and keytab. I am very early in the process, but since I have
never worked with the MIT libs before, I am hoping someone can wave me
away from pitfalls in my description below.

I am extending a custom AD password filter to sync passwords into
Kerberos. My assumption is that there are no Microsoft libs that will
allow me to perform administrative password resets against an MIT KDC.
Please correct me if I am wrong in my assumption.

I will either extend the filter to call into the MIT libs directly, or
"CreateProcess" a Perl script using "Authen::Krb5::Admin" -- but either
approach appears to require the MIT libs. We have many more Perl monks
than C ninjas around here, so for maintainability, I am leaning in the
CreateProcess/Perl direction.

Perusing the source bundles, I do see that it is possible to compile
on Windows. I have not yet extensively studied the API, but I guess I
am looking to authenticate an "/admin" princ with a keytab, and issue
the equivalent of a cpw -pw .

So, a few questions:

1) Do the libraries necessary for an administrative password reset exist
within KfW? Existing DLLs would save me a bunch.

2) If I need to build from source, given a 1.4.4 KDC, should I use the
same version, or can I safely use the latest 1.6.x?

3) Already recognizing the security issues surrounding password
synchronization, is there anything else obviously unsafe about my
direction? Concurrency issues, static vs. dynamic linking of MIT
libraries, known problems with "Authen::Krb5::Admin", etc ?

4) Has anyone done this, and could share any code or documentation?

My most humble thanks to you all -- any advice is greatly appreciated,

Matt Smith
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E

Version: GnuPG v1.4.6 (GNU/Linux)