Start by installing the necessary packages:
1 | apt-get install krb5-user libnss-ldap libpam-krb5 libpam-ldap openafs-client openafs-modules-dkms libpam-afs-session |
Modify /etc/pam_ldap.conf and /etc/libnss-ldap.conf to look like this:
1 2 3 | base dc=example,dc=com uri ldap://ip.to.ldap.host ldap_version 3 |
Add ldap to passwd and group lines in /etc/nsswitch.conf, it should now look like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 | passwd: compat ldap group: compat ldap shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis |
Add host principal, (the reverse dns for client must also point towards it’s hostname (client.domain)):
1 2 3 | kadmin -p root/admin addprinc -randkey host/client.domain ktadd host/client.domain |
Enable GSSAPI Authentication in SSH server by this to /etc/ssh/sshd_config
1 | GSSAPIAuthentication yes |
Also enable GSSAPI in the SSH client by adding this to /etc/ssh/ssh_config:
1 2 | GSSAPIAuthentication yes GSSAPIDelegateCredentials yes |