I bit the bullet and released pam_krb5 2.2 this week, so that finally people can stop pulling CVS snapshots to get the benefit of code that works correctly in the presence of OpenSSH's privilege separation, along with a couple of other new features. This one sat in CVS for far too long after I branched 2.1 for maintenance, but the new features took longer to debug than I'd hoped.

Also spent an unusually large amount of time looking at LDAP resolution for user names and PADL's nss_ldap in particular. The problem we need to solve here is that while LDAP is a hierarchical name space, which therefore allows you to define posixAccount objects with the same user name, so long as you put them in different parts of the tree, Unix and Unix-like systems expect a flat namespace, so while a directory server may let you create two account objets for users named "joe", the client systems aren't going to like it.

After toying with the idea, I figure the simplest thing to do is to take a page from the Samba team's winbindd and start munging up user names at the client in order to guarantee uniqueness of user names from the point of view of workstations. Basically, to make users whose entries live under ou=other,dc=example,dc=com appear to have a non-default prefix or suffix applied to their user and group names. The configuration file format starts to look a little limited when you consider how you'd express this, but I think the idea is sound.