krb5-sync (3.1-1) unstable; urgency=medium * New upstream release. - Fix ignore regex and errors for krb5-sync-backend silent mode. * Add the upstream release signing key and verify it in debian/watch. * Prefer *.tar.xz in debian/watch to match packaging. * Fix Upstream-Contact email address in debian/copyright. * Add debian/gbp.conf reflecting the branch layout of the default packaging repository. * Update standards version to 3.9.6 (no changes required). -- Russ Allbery Tue, 18 Aug 2015 21:45:35 -0700 krb5-sync (3.0-4) unstable; urgency=medium * Actually use dh_autoreconf rather than only depending on it. Thanks to Matthias Klose for the report. (Closes: #744600) * Enable parallel builds. -- Russ Allbery Sun, 13 Apr 2014 11:14:45 -0700 krb5-sync (3.0-3) unstable; urgency=medium * The change in 3.0-3 fixed the test suite failure on all architectures except armel, which appears to still be failing with a variation on the original issue. Further expand the valid timing range on the test, since this seems to be on the right track but just didn't go far enough. -- Russ Allbery Sun, 09 Feb 2014 19:21:52 -0800 krb5-sync (3.0-2) unstable; urgency=medium * Fix the tools/backend test suite to be less sensitive to timing when queuing changes. (Closes: #738364) -- Russ Allbery Sun, 09 Feb 2014 13:41:36 -0800 krb5-sync (3.0-1) unstable; urgency=low * New upstream release. - Module name changed to sync.so. This will require configuration changes in the KDC krb5.conf or kdc.conf configuration file in the [plugins] section. - The ad_ldap_base configuration parameter must now contain the full DN of the tree in Active Directory where account information is stored, and is now mandatory for status synchronization. - New option ad_base_instance, which allows an instance's password to be synchronized to the unqualified principal name in Active Directory. - New option ad_queue_only that, if set to true, forces queuing of all changes rather than pushing any changes immediately. - New option syslog that, if set to false, suppresses supplemental syslog logging of notice, info, and debug messages. - All failed Active Directory password changes are now queued, instead of just those that returned specific errors. - krb5-sync-backend now requires its parameters be given after the subcommand. - krb5-sync-backend now supports a -d option to specify the path to the queue directory. - krb5-sync-backend process skips queue files that no longer exist by the time we get to them. * Update standards version to 3.9.5 (no changes required). -- Russ Allbery Mon, 09 Dec 2013 22:58:10 -0800 krb5-sync (2.3-2) unstable; urgency=low * Upload to unstable. * Update standards version to 3.9.4. - Add Vcs-Git and Vcs-Browser control fields. -- Russ Allbery Sat, 11 May 2013 16:57:12 -0700 krb5-sync (2.3-1) experimental; urgency=low * New upstream release. - Also protect against a NULL password on Heimdal. - Ignore "Operation not permitted" errors in krb5-sync-backend when running in silent mode. * Switch to xz compression for the upstream and Debian tarballs and the Debian packages. * Mark krb5-sync-tools Multi-Arch: foreign. * Remove debugging display of config.log from the build rules. * Convert debian/copyright to copyright-format 1.0. * Update standards version to 3.9.3 (no changes required). -- Russ Allbery Tue, 18 Sep 2012 13:17:43 -0700 krb5-sync (2.2-3) unstable; urgency=low * Apply upstream commit to silently ignore password changes with a NULL password, only new keys. This represents a key randomization, such as from addprinc -randkey, which is outside the synchronization scope of this package. Without this change, the plugin would segfault on that operation. (Closes: #687346) -- Russ Allbery Mon, 17 Sep 2012 20:24:01 -0700 krb5-sync (2.2-2) unstable; urgency=low * Fix debian/rules syntax for setting hardening flags and enable bindnow and PIE. * Regenerate the Autotools build system with dh-autoreconf. * Bump debhelper dependency to 9 now that compatibility mode V9 is no longer experimental. * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages I build and NMUs get regular version-numbered patches. -- Russ Allbery Tue, 07 Feb 2012 17:14:21 -0800 krb5-sync (2.2-1) unstable; urgency=low * Initial upload to Debian. (Closes: #655396) * New upstream release. - Add support for the hooks provided by MIT Kerberos 1.9. - Quietly skip -randkey password changes under MIT Kerberos. - krb5-sync-backend accepts the password on standard input. - krb5-sync diagnoses missing configuration instead of segfaulting. * Split the package into krb5-sync-plugin and krb5-sync-tools packages, since the former needs to be multiarch. * Add Breaks and Replaces on the old internal krb5-sync package to krb5-sync-tools. This is unnecessary for Debian but helpful for the transition at Stanford and will be removed once that transition is complete. * Update to experimental debhelper compatibility level V9. - krb5-sync-plugin is multiarch. - Enable hardening build flags. * Recommend krb5-admin-server 1.9 or later in the plugin package. This isn't the best way to express the dependency, since the plugin is actually loaded by libkadm5srv, but otherwise we have to depend on the specific SONAME of libkadm5srv even though any version of the package will do. This will capture the most common scenarios. * Restart krb5-admin-server if it's running when the plugin is configured to ensure the latest version is loaded. * Update the krb5-sync-plugin README.Debian for the built-in support for loading this plugin in MIT Kerberos 1.9 and later and to provide a sample of the krb5.conf configuration required. * Update the package description and dependencies to reflect that it's now specific to MIT Kerberos. * Remove the special bug reporting address, as this package is now in Debian proper. * Update standards version to 3.9.2 (no changes required). -- Russ Allbery Wed, 11 Jan 2012 14:36:33 -0800 krb5-sync (2.1-1) unstable; urgency=low * New upstream release. - Fix suppression of error messages in krb5-sync-backend -s. - Suppress Heimdal service_locator plugin error messages in krb5-sync-backend if -s is given. - Avoid deprecated OpenLDAP functions. * Recommend heimdal-kdc, not krb5-admin-server, since the package is now built as a Heimdal plugin. Eventually (before uploading to Debian) we'll build both plugins using the -multidev packages. * Direct bug reports against this package to me personally. * Switch to 3.0 (quilt) source format. Force a single Debian patch and include a custom patch header explaining that it is a rollup of any fixes cherry-picked from upstream and breaking those patches out separately would be work for no gain. * Update standards version to 3.9.1 (no changes required). -- Russ Allbery Thu, 26 Aug 2010 18:06:27 -0700 krb5-sync (2.0-2) unstable; urgency=low * Queue password changes for AD for any password change failure. Heimdal may return a missing plugin error rather than the regular password change failure message if the account doesn't exist. -- Russ Allbery Sun, 16 May 2010 11:13:01 -0700 krb5-sync (2.0-1) unstable; urgency=low * New upstream release. - Drop support for AFS kaserver synchronization. - Add support for Heimdal as well as MIT Kerberos. - Add an ad_ldap_base configuration option to specify the base DN for Active Directory. - Ignore connection timeouts from AD when running the queue via krb5-sync-backend in silent mode. - Improve error reporting in krb5-sync. * Built against Heimdal Kerberos instead of MIT Kerberos. * No longer restart kadmind on package installation, since the convention for Heimdal is to run kadmind from inetd. * Update debhelper compatibility level to V7. - Use debhelper rule minimization with overrides. - Add ${misc:Depends} to dependencies. * Add a watch file. * Update standards version to 3.8.4 (no changes required). -- Russ Allbery Mon, 15 Feb 2010 23:21:15 -0800 krb5-sync (1.2-1) unstable; urgency=low * New upstream release. - Fix thread leak in AFS kaserver synchronization. - Add a purge command to krb5-sync-backend. * If /usr/sbin/kadmind is present, restart krb5-admin-server on installation or upgrade to pick up the new plugin. * Add a Homepage control header. * Update debian/copyright based on the upstream LICENSE file. * Update standards version to 3.7.3 (no changes required). -- Russ Allbery Thu, 20 Dec 2007 16:07:50 -0800 krb5-sync (1.1-1) unstable; urgency=low * New upstream release. - Don't assume the principal instance is nul-terminated. - Improve instance checking to fix some false negatives. -- Russ Allbery Mon, 27 Aug 2007 14:33:21 -0700 krb5-sync (1.0-1) unstable; urgency=low * New upstream release. - Add krb5-sync-backend -s option to filter out some messages. - Log krb5-sync actions as LOG_AUTH. - Don't repeat the realm in AD status change log messages. -- Russ Allbery Mon, 13 Aug 2007 18:02:10 -0700 krb5-sync (0.7-1) unstable; urgency=low * New upstream release. - Better logging of plugin failures leading to queuing. - Log krb5-sync actions as LOG_AUTHPRIV, not LOG_DAEMON. -- Russ Allbery Tue, 07 Aug 2007 10:46:35 -0700 krb5-sync (0.6-1) unstable; urgency=low * New upstream release. - Support synchronizing selected accounts with non-empty instances. - Don't overwrite principal realms in the AD plugin. - Use userPrincipalName instead of sAMAccountName in AD. - Correctly strip the realm in principals with escaped @ characters. - Add configuration documentation for AD. -- Russ Allbery Fri, 13 Jul 2007 13:41:45 -0700 krb5-sync (0.5-2) unstable; urgency=low * Create /var/spool/krb5-sync/.lock as part of package installation since krb5-sync-backend requires that it exist. * Install a lintian override for the shlib-with-non-pic-code error. This is unavoidable as long as we have to link with AFS code. -- Russ Allbery Fri, 29 Jun 2007 18:43:52 -0700 krb5-sync (0.5-1) unstable; urgency=low * New upstream release. - Obtain new AFS tokens for each operation to avoid expiration. - Queue AD changes rather than rejecting for non-existent users. - Queue AD changes if there's already a queued change. - Include the username in krb5-sync status messages. -- Russ Allbery Thu, 22 Mar 2007 16:54:39 -0700 krb5-sync (0.4-1) unstable; urgency=low * New upstream release. - Added queuing of status and AFS password changes on failure. - Fail/queue if a change is already queued for that user and action. - Added krb5-sync-backend to manage the queue. * Update upstream authorship information. -- Russ Allbery Tue, 23 Jan 2007 16:27:44 -0800 krb5-sync (0.3-1) unstable; urgency=low * New, significantly different upstream release. - Now installs into /usr/lib/kadmind instead of the KDC directory. - New krb5-sync command-line utility. - ad-modify and acct_disable are gone, as is their config file. * Change package name for the new upstream distribution name. * We no longer need to run Automake at build time. * Update debian/copyright to reflect the new upstream location. -- Russ Allbery Thu, 14 Dec 2006 16:20:00 -0800 krb5-passwd-sync (0.2-4) unstable; urgency=low * In ad-modify, set the ticket cache appropriately so that SASL inside the LDAP libraries doesn't just use the default cache. * Our AD stores accounts under ou=Accounts, not cn=Users. * Log a message to syslog when we propagate status. * Report error messages to syslog rather than standard error so that we can see what's going on. -- Russ Allbery Mon, 11 Dec 2006 14:15:14 -0800 krb5-passwd-sync (0.2-3) unstable; urgency=low * Point the compile-time hard-coded realms (ugh) and the configuration file at the test environment for right now. * Hard-code a slightly more useful path to the K4 srvtab. * When syncing with Kerberos v4, use the kaserver interface. * Properly turn the password into a DES key before setting it. * Link against the proper Kerberos v4 libraries. * Add some error handling to the Kerberos v4 password changing. * Use a different Kerberos v4 principal. * Fix the build machinery to actually set the foreign realm. * Run Autoconf and Automake before building. -- Russ Allbery Fri, 8 Dec 2006 17:40:04 -0800 krb5-passwd-sync (0.2-2) unstable; urgency=low * Add the acct_disable script and ad-modify binary to propagate DISALLOW_ALL_TIX status to Windows AD as well. * Build the update plugin PIC. -- Russ Allbery Wed, 15 Nov 2006 14:03:51 -0800 krb5-passwd-sync (0.2-1) unstable; urgency=low * New upstream release. - Add support for password synchronization to AFS kaserver as well. -- Russ Allbery Mon, 28 Aug 2006 14:22:30 -0700 krb5-passwd-sync (0.1-1) unstable; urgency=low * Initial release. -- Russ Allbery Fri, 4 Aug 2006 17:05:04 -0700