I'm pleased to announce release 2.0 of kadmin-remctl.

kadmin-remctl provides a remctl backend that implements basic Kerberos
account administration functions (create, delete, enable, disable, reset
password, examine) plus user password changes and a call to strength-check
a given password. It can also provide similar management of instances and
creation, deletion, and management of accounts in MIT Kerberos, Active
Directory, and an AFS kaserver where appropriate. Also included is a
client for privileged users to use for password resets. Many of the
defaults and namespace checks are Stanford-specific, but it can be
modified for other sites.

Changes from previous release:

Significantly rework kadmin-backend. The configuration variable for
instance management has been renamed to %CONFIG and now must be set.
It controls both instances and principals without instances. Many of
the global settings have been moved into that hash and can be set
per-instance. Particular instances may now be configured to only
exist in Active Directory and bypass Kerberos v5 entirely.

Add the ksetpass client, which sets a Kerberos password via the
password change protocol using an existing Kerberos ticket cache.
Support using it for password resets in Active Directory and to work
around a Windows Server 2008 bug that prevents setting passwords at
the time of account creation when using GSS-API authentication. Based
on work by Dmitri Priimak.

Support enable and disable commands for instance management as well.

Recognize instance list errors from kadmin correctly. kadmin returns
errors prefixed by get_principals, not list_principals.

Allow for kadmin binaries that print error messages in two parts by
waiting for the end of the line before extracting the error message.

When checking against ACLs, support include commands with the same
syntax as remctld.

Change some kadmin-backend defaults to be less Stanford-specific.

You can download it from:



Please let me know of any problems or feature requests not already listed
in the TODO file.

--
Russ Allbery (rra@stanford.edu)