krb5-sync-backend (disable|enable) [-d queue] user
krb5-sync-backend list [-d queue]
krb5-sync-backend process [-s] [-d queue]
krb5-sync-backend password [-d queue] user ad < password
krb5-sync-backend purge [-d queue] days
DESCRIPTIONkrb5-sync-backend provides an interface to the queue of pending password and account status changes written by either this utility or by the synchronization plugin after failures. It can queue account enables, disables, or password changes for Active Directory, list the queued actions, or process the queued actions with krb5-sync (telling it to take its action from a file).
The queue directory will contain files with names in the format:
where <username> is the name of the affected account ("/" will be replaced with "." in the file name and the realm will be removed), <domain> is "ad", <action> is either "enable" (used for both enabling and disabling accounts) or "password", <timestamp> is a ISO 8601 timestamp in UTC, and <count> is a two-digit zero-padded number between 0 and 99 (so that we can handle multiple changes that arrive in the same second). Each file contains a queued change in the format described in krb5-sync(8).
Supported arguments to krb5-sync-backend are:
- disable user
- Queue a disable action (in Active Directory, as that's the only system currently supported for enable and disable) for user.
- enable user
- Queue an enable action (in Active Directory, as that's the only system currently supported for enable and disable) for user.
- List the supported commands.
- List the current contents of the queue.
- Display this documentation.
- Process the queue. All queued actions will be sorted alphanumerically (which due to the timestamp means that all changes for a particular user of a particular type will be done in the order queued). krb5-sync will be called for each queued action, as long as it continues to succeed. If it fails for a queued action, all other actions sharing the same username, domain, and action will be skipped and queue processing will continue with the next action that differs in one of those three parameters.
- password user ad < password
Queue a password change for user in Active Directory, setting their
password to password. By default, password is read from standard input.
It can also be passed as a command-line argument, but this is less secure
since the password is then readable by anyone on the system who can see the
command-line arguments of processes.
The entire standard input is taken as the password, including any trailing newlines, so be careful how the password is provided. If using something like echo, use "echo -n" or the "\c" flag, depending on your system.
- purge days
- Delete all queued actions last modified longer than days days ago. This can be used to clean up old failed change propagations in situations where accounts may be created or have password changes queued that are later removed and never created in other environments.
OPTIONSOptions must be specified after the command.
- -d queue, --directory=queue
- Use queue as the queue directory instead of the default of /var/spool/krb5-sync. This also changes the lock file accordingly. This option is supported for all commands except "help" and "manual".
- -s, --silent
- This option is only allowed for the "process" command. Filter out the output of krb5-sync to ignore common errors and success messages and only show uncommon errors. This option will filter out all output when krb5-sync is successful and will filter out error messages that normally indicate the account is missing in Active Directory. The regexes can be modified at the start of this script.
- The path to the krb5-sync utility. This may be changed at the top of this script.
- The default path to the queue. This must match the queue_dir parameter in krb5.conf used by the plugin. It can be changed at the top of this script.
- An empty file used for locking the queue. When writing to or querying the queue, krb5-sync-backend will open and lock this file with the Perl flock function, which normally calls flock(2). Any other queue writers need to use the same locking mechanism for safe operation.
AUTHORRuss Allbery <[email protected]>
COPYRIGHT AND LICENSECopyright 2007, 2008, 2010, 2012, 2013 The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ``Software''), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.