Kerberos Server Implementation

Russ Allbery eagle at
Fri Jan 21 14:19:16 EST 2022

Charles Hedrick <hedrick at> writes:

> This is a client-server pair designed to create home directories for
> users. When you’re using kerberized NFS the normal pam_mkhomedir won’t
> work, because it assumes that root can create directories in the file
> system. With kerberized NFS, root has no special privileges. So we have
> a pam_kmkhomedir that calls a process on the file server to do the
> creation.

> If I were doing it again, I’d probably write it using GSSAPI rather than
> a basic Kerberos client / server. Then I could write the server as a web
> service in python and use libcurl on the client side. Unfortunately it
> doesn’t seem to be practical to write a pam module in anything other
> than C, but with libcurl all the GSSAPi stuff is handled by the
> library. If the client isn’t a pam module, it’s easy enough to write a
> GSSAPI client in python. (I can give you example client-server if you
> need it.)

You may also be interested in remctl, which is designed to do this sort of

Russ Allbery (eagle at             <>

More information about the Kerberos mailing list