LDAP+Kerberos authentication on Debian Squeeze (+ AFS client)

Start by installing the necessary packages:

apt-get install krb5-user libnss-ldap libpam-krb5 libpam-ldap openafs-client openafs-modules-dkms libpam-afs-session

Modify /etc/pam_ldap.conf and /etc/libnss-ldap.conf to look like this:

base dc=example,dc=com
uri ldap://ip.to.ldap.host
ldap_version 3

Add ldap to passwd and group lines in /etc/nsswitch.conf, it should now look like this:

passwd:         compat ldap
group:          compat ldap
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Add host principal, (the reverse dns for client must also point towards it’s hostname (client.domain)):

kadmin -p root/admin
addprinc -randkey host/client.domain
ktadd host/client.domain

Enable GSSAPI Authentication in SSH server by this to /etc/ssh/sshd_config

GSSAPIAuthentication yes

Also enable GSSAPI in the SSH client by adding this to /etc/ssh/ssh_config:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Belgarion's blog

Just another Blog weblog

LDAP+Kerberos authentication on Debian Squeeze (+ AFS client)