LDAP+Kerberos authentication on Debian Squeeze (+ AFS client)

Start by installing the necessary packages:

1
apt-get install krb5-user libnss-ldap libpam-krb5 libpam-ldap openafs-client openafs-modules-dkms libpam-afs-session

 

Modify /etc/pam_ldap.conf and /etc/libnss-ldap.conf to look like this:

1
2
3
base dc=example,dc=com
uri ldap://ip.to.ldap.host
ldap_version 3

 

Add ldap to passwd and group lines in /etc/nsswitch.conf, it should now look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
passwd:         compat ldap
group:          compat ldap
shadow:         compat
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

 

Add host principal, (the reverse dns for client must also point towards it’s hostname (client.domain)):

1
2
3
kadmin -p root/admin
addprinc -randkey host/client.domain
ktadd host/client.domain

 

Enable GSSAPI Authentication in SSH server by this to /etc/ssh/sshd_config

1
GSSAPIAuthentication yes

 

Also enable GSSAPI in the SSH client by adding this to /etc/ssh/ssh_config:

1
2
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Installing OpenAFS client on Windows 7 (64bit)

Start by downloading the files:
OpenAFS 64bit
OpenAFS 32bit tools
Heimdal kerberos 64bit and 32bit
Network Identity Manager

Then install them in this order:

  1. Heimdal
  2. netidmgr-AMD64
  3. openafs 64bit (Choose “Disable” on the integrated logon setting)
  4. openafs-32bit-tools

Add “allow_weak_crypto = true” under [libdefaults] in %SYSTEMROOT%\ProgramData\Kerberos\krb5.conf

Reboot.

Multiple virtual network interfaces using netgraph

Load the ng_ether module, to make the real interfaces visible to netgraph

1
kldload ng_ether

or add it to /boot/loader.conf to load it on boot

1
echo 'ng_ether_load="YES"' >> /boot/loader.conf

Create the bridge and give it a name:

1
2
ngctl mkpeer em0: bridge lower link1
ngctl name em0:lower br0

Connect the physical interface to the bridge:

1
ngctl connect em0: br0: upper link2

Disable the overwriting of source route on the physical interface

1
ngctl msg em0: setautosrc 0

Enable promiscous mode on the physical interface

1
ngctl msg em0: setpromisc 1

Create the virtual interfaces and connect them to the bridge

1
2
ngctl mkpeer br0: eiface link3 ether
ngctl mkpeer br0: eiface link4 ether

Set an unique MAC-address to each of the virtual interfaces:

1
2
ifconfig ngeth0 link 00:5c:16:10:dd:79
ifconfig ngeth1 link 00:5c:16:10:dd:80