LDAP+Kerberos authentication on Debian Squeeze (+ AFS client)

Start by installing the necessary packages:

apt-get install krb5-user libnss-ldap libpam-krb5 libpam-ldap openafs-client openafs-modules-dkms libpam-afs-session

 

Modify /etc/pam_ldap.conf and /etc/libnss-ldap.conf to look like this:

base dc=example,dc=com
uri ldap://ip.to.ldap.host
ldap_version 3

 

Add ldap to passwd and group lines in /etc/nsswitch.conf, it should now look like this:

passwd:         compat ldap
group:          compat ldap
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

 

Add host principal, (the reverse dns for client must also point towards it’s hostname (client.domain)):

kadmin -p root/admin
addprinc -randkey host/client.domain
ktadd host/client.domain

 

Enable GSSAPI Authentication in SSH server by this to /etc/ssh/sshd_config

GSSAPIAuthentication yes

 

Also enable GSSAPI in the SSH client by adding this to /etc/ssh/ssh_config:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Multiple virtual network interfaces using netgraph

Load the ng_ether module, to make the real interfaces visible to netgraph

kldload ng_ether

or add it to /boot/loader.conf to load it on boot

echo 'ng_ether_load="YES"' >> /boot/loader.conf

Create the bridge and give it a name:

ngctl mkpeer em0: bridge lower link1
ngctl name em0:lower br0

Connect the physical interface to the bridge:

ngctl connect em0: br0: upper link2

Disable the overwriting of source route on the physical interface

ngctl msg em0: setautosrc 0

Enable promiscous mode on the physical interface

ngctl msg em0: setpromisc 1

Create the virtual interfaces and connect them to the bridge

ngctl mkpeer br0: eiface link3 ether
ngctl mkpeer br0: eiface link4 ether

Set an unique MAC-address to each of the virtual interfaces:

ifconfig ngeth0 link 00:5c:16:10:dd:79
ifconfig ngeth1 link 00:5c:16:10:dd:80