diff -upr pam_krb5-1.3-rc7.orig/debian/changelog pam_krb5-1.3-rc7/debian/changelog
--- pam_krb5-1.3-rc7.orig/debian/changelog	2003-02-10 06:31:03.000000000 -0800
+++ pam_krb5-1.3-rc7/debian/changelog	2005-12-03 17:30:30.000000000 -0800
@@ -1,3 +1,11 @@
+libpam-krb5 (1.3-3.rc7-1) unstable; urgency=low
+
+  * Option for shared cred
+  * Build against mit krb5
+  * Disable krb4
+
+ -- Vince Busam <vbusam@google.com>  Fri, 16 Sep 2005 16:48:34 -0400
+
 libpam-heimdal (1.3-3.rc6) unstable; urgency=low
 
   * New upstream release
diff -upr pam_krb5-1.3-rc7.orig/debian/control pam_krb5-1.3-rc7/debian/control
--- pam_krb5-1.3-rc7.orig/debian/control	2003-02-10 10:14:52.000000000 -0800
+++ pam_krb5-1.3-rc7/debian/control	2005-12-03 17:29:43.000000000 -0800
@@ -1,15 +1,14 @@
-Source: libpam-heimdal
+Source: libpam-krb5
 Section: net
 Priority: optional
 Maintainer: Balazs GAL <balsa@rit.bme.hu>
 Standards-Version: 3.5.6
-Build-Depends: debhelper, heimdal-dev (>= 0.4e-6), kerberos4kth-dev (>=1.1-7), libdb3-dev, libpam0g-dev, automake, autoconf
+Build-Depends: debhelper, libkrb5-dev, libdb3-dev, libpam0g-dev, automake, autoconf
 
-Package: libpam-heimdal
+Package: libpam-krb5
 Architecture: any
 Depends: ${shlibs:Depends}
-Conflicts: libpam-krb5
-Description: PAM module for Heimdal Kerberos 5
- A Kerberos PAM module for use with Heimdal Kerberos 5. This
- module should only be used for local or for encrypted networking
- logins unless you really know what you are doing.
+Description: PAM module for Kerberos 5
+ A Kerberos PAM module for use with Kerberos 5. This module should only be
+ used for local or for encrypted networking logins unless you really know
+ what you are doing.
diff -upr pam_krb5-1.3-rc7.orig/debian/rules pam_krb5-1.3-rc7/debian/rules
--- pam_krb5-1.3-rc7.orig/debian/rules	2003-02-12 11:58:57.000000000 -0800
+++ pam_krb5-1.3-rc7/debian/rules	2005-12-03 17:29:43.000000000 -0800
@@ -13,7 +13,7 @@ build: build-stamp
 build-stamp: configure
 	dh_testdir
 	# Add here commands to compile the package.
-	./configure --prefix=/usr --with-krb5=/usr --with-pamdir=/lib/security
+	./configure --prefix=/usr --with-krb5=/usr --with-pamdir=/lib/security --without-krb4
 	$(MAKE)
 	touch build-stamp
 
diff -upr pam_krb5-1.3-rc7.orig/pam_krb5afs.c pam_krb5-1.3-rc7/pam_krb5afs.c
--- pam_krb5-1.3-rc7.orig/pam_krb5afs.c	2003-03-10 15:37:00.000000000 -0800
+++ pam_krb5-1.3-rc7/pam_krb5afs.c	2005-12-03 17:51:03.000000000 -0800
@@ -241,6 +241,7 @@ struct config {
 	int minimum_uid;
 	int retain_token;			/* retain token after session closed */
 	int refresh_creds;
+	int shared_cred;
 	char *banner;
 	char **cell_list;
 	char *realm;
@@ -1298,6 +1299,11 @@ get_config(krb5_context context, int arg
 	ret->warn_period = i;
 	DEBUG("warn_period %d", ret->warn_period);
 
+	/* Whether to create shared ccace file. */
+	appdefault_boolean(context, "shared_cred", argc, argv,
+			   FALSE, &ret->shared_cred);
+	DEBUG("shared_cred %s", ret->shared_cred ? "true" : "false");
+
 	/* Parse the rest of the arguments which don't fit the above
 	 * scheme very well. */
 	for (i = 0; i < argc; i++) {
@@ -2515,7 +2521,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 		stash_name = NULL;
 		if (prc == PAM_SUCCESS) {
 			DEBUG("credentials retrieved");
-			
 			if (RC_OK && config->refresh_creds && (strlen(stash->v5_path) == 0) 
 			    && !config->force_save_tokens) {
 			    
@@ -2610,10 +2615,17 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 				krc = KRB5_SUCCESS;
 			}
 			if (strlen(stash->v5_path) == 0) {
-				snprintf(v5_path, sizeof(v5_path),
-					 "%s/krb5cc_%d_XXXXXX",
-					 config->ccache_dir, stash->uid);
-				tmpfd = mkstemp(v5_path);
+				if (config->shared_cred) {
+					snprintf(v5_path, sizeof(v5_path),
+						 "%s/krb5cc_%d",
+						 config->ccache_dir, stash->uid);
+						 tmpfd = safe_create(config, v5_path);
+				} else {
+					snprintf(v5_path, sizeof(v5_path),
+						 "%s/krb5cc_%d_XXXXXX",
+						 config->ccache_dir, stash->uid);
+						 tmpfd = mkstemp(v5_path);
+				}
 				if (tmpfd != -1) {
 					memset(stash->v5_path, '\0',
 					       sizeof(stash->v5_path));
@@ -2652,6 +2664,9 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 				if (krc == KRB5_SUCCESS) {
 					krc = krb5_cc_initialize(context, ccache,
 								 stash->v5_creds.client);
+					/* If we have to initialize, we don't need to refresh */
+					config->refresh_creds = FALSE;
+
 				}
 				if (krc != KRB5_SUCCESS) {
 					CRIT("error initializing ccache %s for `%s': %s",
@@ -2732,6 +2747,10 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 				DEBUG("call pam_getenv()");
 				/* Idea from pam_openafs_session. */
 				filecache = pam_getenv(pamh,namecache);
+				if (filecache == NULL) {
+				  DEBUG("pam_getenv() can't get KRB5CCNAME from PAM. Using default.");
+			 	  filecache = krb5_cc_default_name(context);
+				}
 				if ((filecache != NULL) && (strncmp(filecache, "FILE:", 5) == 0) &&
 				    (strlen(filecache) > 5)) {
 					p = filecache;
@@ -2750,7 +2769,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 						      krc ? error_message(krc) : "Success");
 					}
 				} else {
-					DEBUG("pam_getenv() can't get KRB5CCNAME from PAM");
+					DEBUG("Can't get a ccname from env or krb5_cc_default_name().");
 					prc = PAM_SYSTEM_ERR;
 				}
 				if (RC_OK) {
@@ -2814,6 +2833,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 				if (prc == PAM_SUCCESS) {
 					DEBUG("credentials saved for `%s' (%s)",
 					      unparsedname, stash_name);
+					/* Note that we have refreshed them */
+					stash->refresh_v5_creds = TRUE;
 				} else {
 					DEBUG("error saving credentials for `%s (%s)'",
 					      unparsedname, stash_name);
@@ -2967,10 +2988,17 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 			
 			if (strlen(stash->v4_path) == 0) {
 				/* Create a new ticket file. */
-				snprintf(v4_path, sizeof(v4_path),
-					 "%s/tkt%d_XXXXXX",
-					 config->ccache_dir, stash->uid);
-				tmpfd = mkstemp(v4_path);
+				if (config->shared_cred) {
+					snprintf(v4_path, sizeof(v4_path),
+						 "%s/tkt%d",
+						 config->ccache_dir, stash->uid);
+					tmpfd = safe_create(config, v4_path);
+				} else {
+					snprintf(v4_path, sizeof(v4_path),
+						 "%s/tkt%d_XXXXXX",
+						 config->ccache_dir, stash->uid);
+					tmpfd = mkstemp(v4_path);
+				}
 				if (tmpfd != -1) {
 					memset(stash->v4_path, '\0',
 					       sizeof(stash->v4_path));
@@ -3190,7 +3218,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 		stash_name = NULL;
 		if ((prc == PAM_SUCCESS) && (strlen(stash->v5_path) > 0)) {
 			/* Delete the v5 ticket cache. */
-			DEBUG("removing %s", stash->v5_path);
+			DEBUG("removing %s (retain_token=FALSE)", stash->v5_path);
 			if (remove(stash->v5_path) == -1) {
 				CRIT("error removing file %s: %s",
 				     stash->v5_path, strerror(errno));
@@ -3201,7 +3229,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 #ifdef HAVE_KERBEROS_V4
 		if ((prc == PAM_SUCCESS) && (strlen(stash->v4_path) > 0)) {
 			/* Delete the v4 ticket cache. */
-			DEBUG("removing %s", stash->v4_path);
+			DEBUG("removing %s (krb4)", stash->v4_path);
 			if (remove(stash->v4_path) == -1) {
 				CRIT("error removing file %s: %s",
 				     stash->v4_path, strerror(errno));