[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pam, Heimdal
On Tue, Nov 19, 2002 at 02:46:18PM +0100, Valentin v. Seggern wrote:
> Hello List,
> this has probably been asked a million times, but I have not yet
> read a complete answer to this. If there is one, please correct my
> I need a setup for several Linux computers with PAM & Heimdal. I
> tried every pam_krb5 module I could find (I think that was F.
> Kusacks (with and without the debian patches) and kpam)
Try my heimdal port of RedHat's pam_krb5 which contains some major
bugfix and some additional feature like:
convert krb5 tgt to krb4 tgt (krb524),
(The mainstream implement it wrong)
get afs tokens with krb5_afslog,
optinal native kth-krb4 ticket grabing.
I wrote a new code which is usefull e.g at ssh with token
forwarding. It try to use and convert the forwarded krb5 tgt
to krb4 tgt and to afs tokens. (like pam_openafs_session)
The new refresh_creds option:
It is very userfull e.g with xlock. If you unlock
the display then it will refresh your tickets and tokens if
My heimdal works now with Heimdal and with MIT-krb5.
known to works on Linux and FreeBSD.
I yust released pam_krb5-heimdal-1_3-rc4.tar.gz
> to set up
> rules that would let root login based on unix-based authentification
> and kerberos user via pam_krb5.
Have the kerberos users shadow entry in nss or not?
If not, then a required pam_unix in the account chain can break
to login a kerberos user in your system.
Please send back your pam chain and the answer for the above question.
> As far as I can see the problem is, that pam does map all users to
Its not true.
- Pam, Heimdal
- From: "Valentin v. Seggern" <email@example.com>