1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
|
krb5-sync (3.0-1) unstable; urgency=low
* New upstream release.
- Module name changed to sync.so. This will require configuration
changes in the KDC krb5.conf or kdc.conf configuration file in the
[plugins] section.
- The ad_ldap_base configuration parameter must now contain the full
DN of the tree in Active Directory where account information is
stored, and is now mandatory for status synchronization.
- New option ad_base_instance, which allows an instance's password to
be synchronized to the unqualified principal name in Active
Directory.
- New option ad_queue_only that, if set to true, forces queuing of all
changes rather than pushing any changes immediately.
- New option syslog that, if set to false, suppresses supplemental
syslog logging of notice, info, and debug messages.
- All failed Active Directory password changes are now queued, instead
of just those that returned specific errors.
- krb5-sync-backend now requires its parameters be given after the
subcommand.
- krb5-sync-backend now supports a -d option to specify the path to
the queue directory.
- krb5-sync-backend process skips queue files that no longer exist by
the time we get to them.
* Update standards version to 3.9.5 (no changes required).
-- Russ Allbery <rra@debian.org> Mon, 09 Dec 2013 21:00:01 -0800
krb5-sync (2.3-2) unstable; urgency=low
* Upload to unstable.
* Update standards version to 3.9.4.
- Add Vcs-Git and Vcs-Browser control fields.
-- Russ Allbery <rra@debian.org> Sat, 11 May 2013 16:57:12 -0700
krb5-sync (2.3-1) experimental; urgency=low
* New upstream release.
- Also protect against a NULL password on Heimdal.
- Ignore "Operation not permitted" errors in krb5-sync-backend when
running in silent mode.
* Switch to xz compression for the upstream and Debian tarballs and the
Debian packages.
* Mark krb5-sync-tools Multi-Arch: foreign.
* Remove debugging display of config.log from the build rules.
* Convert debian/copyright to copyright-format 1.0.
* Update standards version to 3.9.3 (no changes required).
-- Russ Allbery <rra@debian.org> Tue, 18 Sep 2012 13:17:43 -0700
krb5-sync (2.2-3) unstable; urgency=low
* Apply upstream commit to silently ignore password changes with a NULL
password, only new keys. This represents a key randomization, such as
from addprinc -randkey, which is outside the synchronization scope of
this package. Without this change, the plugin would segfault on that
operation. (Closes: #687346)
-- Russ Allbery <rra@debian.org> Mon, 17 Sep 2012 20:24:01 -0700
krb5-sync (2.2-2) unstable; urgency=low
* Fix debian/rules syntax for setting hardening flags and enable bindnow
and PIE.
* Regenerate the Autotools build system with dh-autoreconf.
* Bump debhelper dependency to 9 now that compatibility mode V9 is no
longer experimental.
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages I build and
NMUs get regular version-numbered patches.
-- Russ Allbery <rra@debian.org> Tue, 07 Feb 2012 17:14:21 -0800
krb5-sync (2.2-1) unstable; urgency=low
* Initial upload to Debian. (Closes: #655396)
* New upstream release.
- Add support for the hooks provided by MIT Kerberos 1.9.
- Quietly skip -randkey password changes under MIT Kerberos.
- krb5-sync-backend accepts the password on standard input.
- krb5-sync diagnoses missing configuration instead of segfaulting.
* Split the package into krb5-sync-plugin and krb5-sync-tools packages,
since the former needs to be multiarch.
* Add Breaks and Replaces on the old internal krb5-sync package to
krb5-sync-tools. This is unnecessary for Debian but helpful for the
transition at Stanford and will be removed once that transition is
complete.
* Update to experimental debhelper compatibility level V9.
- krb5-sync-plugin is multiarch.
- Enable hardening build flags.
* Recommend krb5-admin-server 1.9 or later in the plugin package. This
isn't the best way to express the dependency, since the plugin is
actually loaded by libkadm5srv, but otherwise we have to depend on the
specific SONAME of libkadm5srv even though any version of the package
will do. This will capture the most common scenarios.
* Restart krb5-admin-server if it's running when the plugin is
configured to ensure the latest version is loaded.
* Update the krb5-sync-plugin README.Debian for the built-in support for
loading this plugin in MIT Kerberos 1.9 and later and to provide a
sample of the krb5.conf configuration required.
* Update the package description and dependencies to reflect that it's
now specific to MIT Kerberos.
* Remove the special bug reporting address, as this package is now in
Debian proper.
* Update standards version to 3.9.2 (no changes required).
-- Russ Allbery <rra@debian.org> Wed, 11 Jan 2012 14:36:33 -0800
krb5-sync (2.1-1) unstable; urgency=low
* New upstream release.
- Fix suppression of error messages in krb5-sync-backend -s.
- Suppress Heimdal service_locator plugin error messages in
krb5-sync-backend if -s is given.
- Avoid deprecated OpenLDAP functions.
* Recommend heimdal-kdc, not krb5-admin-server, since the package is now
built as a Heimdal plugin. Eventually (before uploading to Debian)
we'll build both plugins using the -multidev packages.
* Direct bug reports against this package to me personally.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
include a custom patch header explaining that it is a rollup of any
fixes cherry-picked from upstream and breaking those patches out
separately would be work for no gain.
* Update standards version to 3.9.1 (no changes required).
-- Russ Allbery <rra@debian.org> Thu, 26 Aug 2010 18:06:27 -0700
krb5-sync (2.0-2) unstable; urgency=low
* Queue password changes for AD for any password change failure.
Heimdal may return a missing plugin error rather than the regular
password change failure message if the account doesn't exist.
-- Russ Allbery <rra@debian.org> Sun, 16 May 2010 11:13:01 -0700
krb5-sync (2.0-1) unstable; urgency=low
* New upstream release.
- Drop support for AFS kaserver synchronization.
- Add support for Heimdal as well as MIT Kerberos.
- Add an ad_ldap_base configuration option to specify the base DN for
Active Directory.
- Ignore connection timeouts from AD when running the queue via
krb5-sync-backend in silent mode.
- Improve error reporting in krb5-sync.
* Built against Heimdal Kerberos instead of MIT Kerberos.
* No longer restart kadmind on package installation, since the
convention for Heimdal is to run kadmind from inetd.
* Update debhelper compatibility level to V7.
- Use debhelper rule minimization with overrides.
- Add ${misc:Depends} to dependencies.
* Add a watch file.
* Update standards version to 3.8.4 (no changes required).
-- Russ Allbery <rra@debian.org> Mon, 15 Feb 2010 23:21:15 -0800
krb5-sync (1.2-1) unstable; urgency=low
* New upstream release.
- Fix thread leak in AFS kaserver synchronization.
- Add a purge command to krb5-sync-backend.
* If /usr/sbin/kadmind is present, restart krb5-admin-server on
installation or upgrade to pick up the new plugin.
* Add a Homepage control header.
* Update debian/copyright based on the upstream LICENSE file.
* Update standards version to 3.7.3 (no changes required).
-- Russ Allbery <rra@debian.org> Thu, 20 Dec 2007 16:07:50 -0800
krb5-sync (1.1-1) unstable; urgency=low
* New upstream release.
- Don't assume the principal instance is nul-terminated.
- Improve instance checking to fix some false negatives.
-- Russ Allbery <rra@debian.org> Mon, 27 Aug 2007 14:33:21 -0700
krb5-sync (1.0-1) unstable; urgency=low
* New upstream release.
- Add krb5-sync-backend -s option to filter out some messages.
- Log krb5-sync actions as LOG_AUTH.
- Don't repeat the realm in AD status change log messages.
-- Russ Allbery <rra@debian.org> Mon, 13 Aug 2007 18:02:10 -0700
krb5-sync (0.7-1) unstable; urgency=low
* New upstream release.
- Better logging of plugin failures leading to queuing.
- Log krb5-sync actions as LOG_AUTHPRIV, not LOG_DAEMON.
-- Russ Allbery <rra@debian.org> Tue, 07 Aug 2007 10:46:35 -0700
krb5-sync (0.6-1) unstable; urgency=low
* New upstream release.
- Support synchronizing selected accounts with non-empty instances.
- Don't overwrite principal realms in the AD plugin.
- Use userPrincipalName instead of sAMAccountName in AD.
- Correctly strip the realm in principals with escaped @ characters.
- Add configuration documentation for AD.
-- Russ Allbery <rra@debian.org> Fri, 13 Jul 2007 13:41:45 -0700
krb5-sync (0.5-2) unstable; urgency=low
* Create /var/spool/krb5-sync/.lock as part of package installation
since krb5-sync-backend requires that it exist.
* Install a lintian override for the shlib-with-non-pic-code error.
This is unavoidable as long as we have to link with AFS code.
-- Russ Allbery <rra@debian.org> Fri, 29 Jun 2007 18:43:52 -0700
krb5-sync (0.5-1) unstable; urgency=low
* New upstream release.
- Obtain new AFS tokens for each operation to avoid expiration.
- Queue AD changes rather than rejecting for non-existent users.
- Queue AD changes if there's already a queued change.
- Include the username in krb5-sync status messages.
-- Russ Allbery <rra@debian.org> Thu, 22 Mar 2007 16:54:39 -0700
krb5-sync (0.4-1) unstable; urgency=low
* New upstream release.
- Added queuing of status and AFS password changes on failure.
- Fail/queue if a change is already queued for that user and action.
- Added krb5-sync-backend to manage the queue.
* Update upstream authorship information.
-- Russ Allbery <rra@debian.org> Tue, 23 Jan 2007 16:27:44 -0800
krb5-sync (0.3-1) unstable; urgency=low
* New, significantly different upstream release.
- Now installs into /usr/lib/kadmind instead of the KDC directory.
- New krb5-sync command-line utility.
- ad-modify and acct_disable are gone, as is their config file.
* Change package name for the new upstream distribution name.
* We no longer need to run Automake at build time.
* Update debian/copyright to reflect the new upstream location.
-- Russ Allbery <rra@debian.org> Thu, 14 Dec 2006 16:20:00 -0800
krb5-passwd-sync (0.2-4) unstable; urgency=low
* In ad-modify, set the ticket cache appropriately so that SASL inside
the LDAP libraries doesn't just use the default cache.
* Our AD stores accounts under ou=Accounts, not cn=Users.
* Log a message to syslog when we propagate status.
* Report error messages to syslog rather than standard error so that we
can see what's going on.
-- Russ Allbery <rra@debian.org> Mon, 11 Dec 2006 14:15:14 -0800
krb5-passwd-sync (0.2-3) unstable; urgency=low
* Point the compile-time hard-coded realms (ugh) and the configuration
file at the test environment for right now.
* Hard-code a slightly more useful path to the K4 srvtab.
* When syncing with Kerberos v4, use the kaserver interface.
* Properly turn the password into a DES key before setting it.
* Link against the proper Kerberos v4 libraries.
* Add some error handling to the Kerberos v4 password changing.
* Use a different Kerberos v4 principal.
* Fix the build machinery to actually set the foreign realm.
* Run Autoconf and Automake before building.
-- Russ Allbery <rra@debian.org> Fri, 8 Dec 2006 17:40:04 -0800
krb5-passwd-sync (0.2-2) unstable; urgency=low
* Add the acct_disable script and ad-modify binary to propagate
DISALLOW_ALL_TIX status to Windows AD as well.
* Build the update plugin PIC.
-- Russ Allbery <rra@debian.org> Wed, 15 Nov 2006 14:03:51 -0800
krb5-passwd-sync (0.2-1) unstable; urgency=low
* New upstream release.
- Add support for password synchronization to AFS kaserver as well.
-- Russ Allbery <rra@debian.org> Mon, 28 Aug 2006 14:22:30 -0700
krb5-passwd-sync (0.1-1) unstable; urgency=low
* Initial release.
-- Russ Allbery <rra@debian.org> Fri, 4 Aug 2006 17:05:04 -0700
|
