Re: Pam, Heimdal

[Balazs GAL <balsa@rit.bme.hu>]

On Tue, Nov 19, 2002 at 02:46:18PM +0100, Valentin v. Seggern wrote:
> Hello List,
> 
> this has probably been asked a million times, but I have not yet
> read a complete answer to this. If there is one, please correct my
> ignorance.
> 
> I need a setup for several Linux computers with PAM & Heimdal. I
> tried every pam_krb5 module I could find (I think that was F.
> Kusacks (with and without the debian patches) and kpam)

Try my heimdal port of RedHat's pam_krb5 which contains some major
bugfix and some additional feature like:
convert krb5 tgt to krb4 tgt (krb524), 
(The mainstream implement it wrong)
get afs tokens with krb5_afslog,
optinal native kth-krb4 ticket grabing. 

I wrote a new code which is usefull e.g at ssh with token
forwarding. It try to use and convert the forwarded krb5 tgt
to krb4 tgt and to afs tokens. (like pam_openafs_session)

The new refresh_creds option:
It is very userfull e.g with xlock. If you unlock
the display then it will refresh your tickets and tokens if
possible.

My heimdal works now with Heimdal and with MIT-krb5.
known to works on Linux and FreeBSD.

I yust released pam_krb5-heimdal-1_3-rc4.tar.gz
http://www.rit.bme.hu/~balsa/pam_krb5/

> to set up
> rules that would let root login based on unix-based authentification
> and kerberos user via pam_krb5.

Have the kerberos users shadow entry in nss or not?

If not, then a required pam_unix in the account chain can break
to login a kerberos user in your system.

Please send back your pam chain and the answer for the above question.

> As far as I can see the problem is, that pam does map all users to
> root. 

Its not true.

balsa