Russ Allbery wrote:
> I'm pleased to announce release 1.2 of krb5-sync.

has anyone attempted to use the patch included in this with newer MIT
kerberos releases? I'm particularly interested in 1.6.1 with RHEL5
patches, but if someone has tried this with a similar vintage krb5 I'd
expect it to be helpful.

I have tried applying the patch as is, and 3 pieces of the patch
immediately fail(I've yet to try and determine if the rest of the chunks
that apply are actually correct.)

1) src/lib/kadm5/ does not exist in 1.6.1. the patch seems
to be adding checks for dlopen:

--- krb5-1.4.4/src/lib/kadm5/ 2004-02-12
19:19:30.000000000 -0
+++ krb5-1.4.4-patched/src/lib/kadm5/ 2007-07-29
00000 -0700
@@ -10,10 +10,12 @@
AC_CHECK_FUNCS(srand48 srand srandom)
+AC_CHECK_LIB(dl, dlopen, DL_LIB=-ldl)
if test "$PERL" = perl -a "$RUNTEST" = runtest -a "$TCL_LIBS" != ""; then

I'm not sure if these autoconf rules need to be added to some higher
level configure.{in,ac} or if they are already taken care of in 1.6.1.

2) in src/lib/kadm5/srv/server_init.c, the addition of the call to
init_pwupdate() just before adb_policy_init() failed. It looks like
sdb_policy_init is being called in a fairly different place now. Any
hints on what the appropriate time to initialize this plugin is in 1.6.1?

3) finally the actual init_pwupdate function failed to get added to
svr_principal.c, but I think that was just because the file was enough
shorter than the 1.4.4 version, and that it can be added to the end of
the file.

In any case, If anyone has any experience with this patch on newer krb5
releases, or can make recommendations on how to remedy the failed patch
elements listed above(particularly issues 1, and 2), your help would be
much appreciated.


-Matt Andrews

> krb5-sync is a toolkit for updating passwords and account status from an
> MIT Kerberos master KDC to Active Directory and/or an AFS kaserver. It is
> implemented as a patch to kadmind and a plugin module that will push
> password changes and selected account flag changes to Active Directory or
> to a kaserver at the same time as they are made to the local KDC database.
> Changes from previous release:
> Don't call rx_Finalize after every synchronization with an AFS
> kaserver. This isn't correct and leaks threads. Only call
> rx_Finalize when shutting down the entire module.
> The AFS synchronization code is now only built if requested using the
> --with-afs flag to configure, allowing the package to be built at
> sites that don't use AFS.
> Add the purge command to krb5-sync-backend, which removes all queued
> actions last modified more than some number of days in the past.
> Use the new Kerberos error message APIs to retrieve error messages,
> giving more complete errors in current versions of Kerberos. This is
> also necessary in the long run for Heimdal support, although the
> package in general doesn't support Heimdal yet.
> You can download it from:
> Please let me know of any problems or feature requests not already listed
> in the TODO file.