1. Name Switch Server
Groups and users (passwd) come first from afs and then from files. This requires special trickery to ensure openafs starts before even the firewall.
We chose libnss-afs because there isn't really any point being able to query networked user and group information if openafs is not working since anything needing that info is going to rely on openafs anyway. Which is to say basically everything.
2. PAM
Using the standard Debian squeeze pam config framework, we have pam_krb5 and pam_afs_session enabled to permit Kerberos users to login. On admin nodes, login.restrict is used to only allow admins access.