krb5-sync provides a command-line interface to the same functions provided by the password and status
synchronization plugin. It can push a new password to Active Directory (actually, to any password store
that supports the Kerberos set-password protocol) or activate or deactivate an account in Active
Directory.
To synchronize passwords, provide the -p option and specify the password. Note that the password is
given on the command line and must be quoted if it contains special characters, and the password will be
exposed to any other users on the system where this command is run. This is useful primarily for testing
and should not be used with production passwords. Synchronization to Active Directory will be attempted
based on the configuration in krb5.conf (see below).
To enable or disable an account, provide the -e or -d option respectively. These options can also be
provided in conjunction with the -p option to take both actions at once.
In either case, user should be the principal name for which these actions should be taken. user may be
either unqualified or in the local realm; either way, the Active Directory realm in which to make changes
will be taken from the krb5.conf configuration.
Alternately, krb5-sync also supports processing actions from a file. To do this, use the -f flag and
give the file on the command line. The format of the file should be as follows:
<account>
ad
password | enable | disable
<password>
where the fourth line is present only if the <action> is "password". <account> should be the unqualified
name of the account. The second line should be the string "ad" to push the change to Windows Active
Directory. The third line should be one of "password", "enable", or "disable", corresponding to the -p,
-e, and -d options respectively. The "enable" and "disable" actions are only supported for AD.
The file format is not particularly forgiving. In particular, all of the keywords are case-sensitive and
there must not be any whitespace at the beginning or end of the lines (except in the password, and only
if that whitespace is part of the password), just a single newline terminating each line.
When the -f option is given, the file will be deleted if the action was successful but left alone if the
action failed.
The configuration block in krb5.conf should look something like this:
krb5-sync = {
ad_keytab = /etc/krb5kdc/ad-keytab
ad_principal = service/sync@WINDOWS.EXAMPLE.COM
ad_realm = WINDOWS.EXAMPLE.COM
ad_admin_server = dc1.windows.example.com
ad_ldap_base = ou=People
}
If the configuration required for an action is not given, that action will not be performed but will
apparently succeed from the perspective of the krb5-sync utility. Therefore, if this utility reports
success but no change is happening, double-check the configuration to ensure that all required options
are present.
The "ad_keytab" option specifies the location of a keytab for authenticating to the other realm, the
"ad_principal" option specifies the principal to authenticate as (using the key in the keytab), and the
"ad_realm" option specifies the foreign realm. "ad_admin_server" is the host to contact via LDAP to push
account status changes. "ad_ldap_base" specifies the base tree inside Active Directory where account
information is stored. Omit the trailing "dc=" part; it will be added automatically from "ad_realm".
Be aware that the "ad_instances", "ad_base_instance", and "ad_queue_only" configuration options that are
used by the krb5-sync plugin are ignored by krb5-sync. The krb5-sync command will push changes to
whatever principal it was given, regardless of the normal limits on instances, and does not do any of the
principal remapping configured with "ad_base_instance".
Install Now
PNG Icons
