Provided by: krb5-sync-tools_3.1-1_i386 bug


       krb5-sync - Synchronize passwords and status with Active Directory


       krb5-sync [-d | -e] [-p password] user

       krb5-sync -f file


       krb5-sync provides a command-line interface to the same functions
       provided by the password and status synchronization plugin.  It can
       push a new password to Active Directory (actually, to any password
       store that supports the Kerberos set-password protocol) or activate or
       deactivate an account in Active Directory.

       To synchronize passwords, provide the -p option and specify the
       password.  Note that the password is given on the command line and must
       be quoted if it contains special characters, and the password will be
       exposed to any other users on the system where this command is run.
       This is useful primarily for testing and should not be used with
       production passwords.  Synchronization to Active Directory will be
       attempted based on the configuration in krb5.conf (see below).

       To enable or disable an account, provide the -e or -d option
       respectively.  These options can also be provided in conjunction with
       the -p option to take both actions at once.

       In either case, user should be the principal name for which these
       actions should be taken.  user may be either unqualified or in the
       local realm; either way, the Active Directory realm in which to make
       changes will be taken from the krb5.conf configuration.

       Alternately, krb5-sync also supports processing actions from a file.
       To do this, use the -f flag and give the file on the command line.  The
       format of the file should be as follows:

           password | enable | disable

       where the fourth line is present only if the <action> is "password".
       <account> should be the unqualified name of the account.  The second
       line should be the string "ad" to push the change to Windows Active
       Directory.  The third line should be one of "password", "enable", or
       "disable", corresponding to the -p, -e, and -d options respectively.
       The "enable" and "disable" actions are only supported for AD.

       The file format is not particularly forgiving.  In particular, all of
       the keywords are case-sensitive and there must not be any whitespace at
       the beginning or end of the lines (except in the password, and only if
       that whitespace is part of the password), just a single newline
       terminating each line.

       When the -f option is given, the file will be deleted if the action was
       successful but left alone if the action failed.

       The configuration block in krb5.conf should look something like this:

           krb5-sync = {
               ad_keytab       = /etc/krb5kdc/ad-keytab
               ad_principal    = service/sync@WINDOWS.EXAMPLE.COM
               ad_realm        = WINDOWS.EXAMPLE.COM
               ad_admin_server =
               ad_ldap_base    = ou=People

       If the configuration required for an action is not given, that action
       will not be performed but will apparently succeed from the perspective
       of the krb5-sync utility.  Therefore, if this utility reports success
       but no change is happening, double-check the configuration to ensure
       that all required options are present.

       The "ad_keytab" option specifies the location of a keytab for
       authenticating to the other realm, the "ad_principal" option specifies
       the principal to authenticate as (using the key in the keytab), and the
       "ad_realm" option specifies the foreign realm.  "ad_admin_server" is
       the host to contact via LDAP to push account status changes.
       "ad_ldap_base" specifies the base tree inside Active Directory where
       account information is stored.  Omit the trailing "dc=" part; it will
       be added automatically from "ad_realm".

       Be aware that the "ad_instances", "ad_base_instance", and
       "ad_queue_only" configuration options that are used by the krb5-sync
       plugin are ignored by krb5-sync.  The krb5-sync command will push
       changes to whatever principal it was given, regardless of the normal
       limits on instances, and does not do any of the principal remapping
       configured with "ad_base_instance".


       -d  Disable the specified user in Active Directory.  Requires that all
           of the ad_* options be set in krb5.conf.  This option may not be
           specified at the same time as -e.

       -e  Enable the specified user in Active Directory.  Requires that all
           of the ad_* options be set in krb5.conf.  This option may not be
           specified at the same time as -e.

       -f file
           Rather than perform a particular action based on a username given
           on the command line, read a queue file and take action based on it.
           The format of the queue file is described above.  If the action
           fails, the file will be left alone.  If the action succeeds, the
           file will be deleted.

       -p password
           Change the user's password to password in Active Directory.


       Disable the account "jdoe" in Active Directory (using the AD
       configuration found in krb5.conf):

           krb5-sync -d jdoe

       Change the password of the account "testuser" in Active Directory to

           krb5-sync -p changeme testuser@EXAMPLE.COM

       The same, except also enable the account in Active Directory:

           krb5-sync -e -p changeme testuser

       Note that the realm for the user given on the command line is optional
       and ignored.

       Given a file named jdoe-ad-1168560492 containing:


       the command:

           krb5-sync -f jdoe-ad-1168560492

       will change jdoe's password to "changeme" in Active Directory and then
       delete the file.


       The current version of this program is available from its web page at


       Russ Allbery <>


       Copyright 2007, 2008, 2010, 2012 The Board of Trustees of the Leland
       Stanford Junior University

       Copying and distribution of this file, with or without modification,
       are permitted in any medium without royalty provided the copyright
       notice and this notice are preserved.  This file is offered as-is,
       without any warranty.