LDAP+Kerberos authentication on Debian Squeeze (+ AFS client)

Start by installing the necessary packages:

1
apt-get install krb5-user libnss-ldap libpam-krb5 libpam-ldap openafs-client openafs-modules-dkms libpam-afs-session

 

Modify /etc/pam_ldap.conf and /etc/libnss-ldap.conf to look like this:

1
2
3
base dc=example,dc=com
uri ldap://ip.to.ldap.host
ldap_version 3

 

Add ldap to passwd and group lines in /etc/nsswitch.conf, it should now look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
passwd:         compat ldap
group:          compat ldap
shadow:         compat
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

 

Add host principal, (the reverse dns for client must also point towards it’s hostname (client.domain)):

1
2
3
kadmin -p root/admin
addprinc -randkey host/client.domain
ktadd host/client.domain

 

Enable GSSAPI Authentication in SSH server by this to /etc/ssh/sshd_config

1
GSSAPIAuthentication yes

 

Also enable GSSAPI in the SSH client by adding this to /etc/ssh/ssh_config:

1
2
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes