I'm pleased to announce release 0.6 of krb5-sync. At this point,
krb5-sync has received more testing and should be considered beta
software, but please be aware that it still is not running anywhere in

krb5-sync is a toolkit for updating passwords and account status from an
MIT Kerberos master KDC to Active Directory and/or an AFS kaserver. It is
implemented as a patch to kadmind and a plugin module that will push
password changes and selected account flag changes to Active Directory or
to a kaserver at the same time as they are made to the local KDC database.

Changes from previous release:

Add support for propagating selected non-empty instances into the AFS
and Active Directory environments rather than ignoring all principals
with non-empty instances.

Fix the Active Directory password change component to not overwrite
the realm of the principal passed from kadmind so that logging of AFS
password change attempts will contain the local realm instead of the
AD realm.

When enabling or disabling accounts in Active Directory, look them up
by userPrincipalName instead of sAMAccountName.

Correctly strip the realm for queuing even for principals containing
escaped @ characters.

Add Active Directory configuration instructions. Thanks, Ross

You can download it from:

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra@stanford.edu)