I'm pleased to announce release 3.3 of kadmin-remctl.
kadmin-remctl provides a remctl backend that implements basic Kerberos
account administration functions (create, delete, enable, disable, reset
password, examine) plus user password changes and a call to strength-check
a given password. It can also provide similar management of instances and
creation, deletion, and management of accounts in Heimdal, MIT Kerberos,
Active Directory, and an AFS kaserver where appropriate. Also included is
a client for privileged users to use for password resets and a simple
client for password chnages via the Kerberos password change protocol.
Many of the defaults and namespace checks are Stanford-specific, but it
can be modified for other sites.
Changes from previous release:
In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
may not be fully appropriate for other sites, but should hopefully be
harmless. Also suppress the standard error output from the Heimdal
library during connect since Heimdal::Kadm5 does not.
Clean up error reporting in the Heimdal version of kadmin-backend.
Use the correct (rather than the documented) way to tell
Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
functions uniformly use the same standard error formatting and exit
status for kadmin failures.
Exit with a non-zero status if the check_passwd command rejects the
password. Previously, an error would be reported but the backend
would always report a successful zero status if the password could be
checked, even if it was rejected.
The Heimdal version of kadmin-backend now requires the IPC::Run Perl
module (available from CPAN).
Produce a better error message when trying to change the password of a
disabled account with the Heimdal backend.
When prompting for a username in passwd_change, strip any surrounding
whitespace from that username before proceeding.
Update to rra-c-util 4.8:
* Fix Heimdal libroken probes for old versions of Heimdal.
* Fix Kerberos header probing with non-standard include paths.
* Pass --deps to krb5-config if it is supported.
* Properly find krb5.h on NetBSD systems.
* Fix stripping of -I/usr/include from krb5-config output.
* Avoid using krb5-config if specific Kerberos paths are configured.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
* Replace concat with xasprintf.
* xasprintf is now void and always calls the failure handler on error.
* Improve __attribute__ portability to old GCC or non-GCC compilers.
* Add -D_FORTIFY_SOURCE=2 to make warnings flags.
* Probe for ssize_t and replace it in portable/system.h if not found.
* Include strings.h in portable/system.h if it exists.
* Add a pointer to rra-c-util in all files.
You can download it from:
http://www.eyrie.org/~eagle/software/kadmin-remctl/
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
