adclient.krb5.password.change.hook

The adclient.krb5.password.change.hook configuration parameter specifies the full path of the command that adclient runs after adclient has changed a password and updated the krb5.keytab file.

By default, this parameter is empty.

Here's an example where you would use this parameter:

You want adclient to maintain an external keytab file for the ftp service that a non-privileged user "ftp" runs. You need adclient to copy only the ftp keys from the machine keytab file to a keytab file that only the "ftp" user can read. You can create a script, for example, /var/ftp/create_keytab_for_ftp.sh to help you to do this:

#/bin/sh

/usr/sbin/adkeytab -o -P ftp -K /var/ftp/ftp.keytab -b /etc/krb5.keytab && \

chown ftp:ftp /var/ftp/ftp.keytab

And then you add the script to the adclient.krb5.password.change.hook parameter:

adclient.krb5.password.change.hook: /var/ftp/create_keytab_for_ftp.sh