This is a major rewrite of pam_krb5afs. Call it 2.0, for lack of a better term. o Compared to the earlier releases, this tree builds a single module which "knows" how to do everything which is knowable at compile-time. o Configuration options which can now be set as library defaults in the system-wide krb5.conf are now ignored by the module. Standard options: o debug Log debugging messages at LOG_DEBUG priority. o no_warn When authenticating, don't warn the user about an expired password. o use_authtok When changing passwords, never prompt for password data. Instead, use data stored by a previously-called module. o use_first_pass When authenticating, never prompt for password data. Instead, use a password which was stored by a previously-called module. o try_first_pass When authenticating, first try to authenticate using the password which was stored by a previously-called module. If it fails, then prompt for the correct password and try again. Recognized options (krb5.conf's appdefaults/pam section, and command-line): o banner=Kerberos When changing passwords, tell users that they are changing their Kerberos passwords (unset to avoid using any term other than "password"). o ccache_dir=/tmp Directory in which to store ccache and ticket files. o keytab=/etc/krb5.keytab Default keytab to use when validating initial credentials. o krb4_convert Obtain Kerberos IV ticket files, even if not required for the sake of AFS. o minimum_uid=NUMBER Default keytab to use when validating initial credentials. o no_user_check Go ahead and authenticate users for whom getpwnam() returns no information. Credential cache and ticket files will be created and owned by the current user and group ID instead of the user's. o realm=REALM Override the default realm. o tokens Obtain AFS tokens during the authentication phase. o validate Validate initial credentials. By default, credentials are validated if the specified keytab file can be read. Configuration file only: o afs_cells = cell1 cell2 cell3 This module's CVS repository is hosted on elvis.redhat.com. To check the current sources out of CVS, use the anoncvs access. cvs -d :pserver:anoncvs@elvis.redhat.com:/usr/local/CVS login cvs -d :pserver:anoncvs@elvis.redhat.com:/usr/local/CVS co pam_krb5