Debian OpenLDAP client with Kerberos

Before we proceed with client setup (let assume our client machine name is deby01.dev.local) you need to setup the following:

• Kerberos Client (look here).

Once the basic installation of the above is complete, here we go:

1. We need install few packages:

   apt-get -y install ldap-utils libpam-ldap \
   libsasl2-modules-gssapi-mit nscd libnss-ldap kstart
   

   During installation you will be prompted for few questions:
   • libnss-ldap

     LDAP server URI: ldap://ldapk1.dev.local/
     Distinguished name of the search base: dc=dev,dc=local
     LDAP version to use: 3
     cn=admin,ou=people,dc=dev,dc=local
     LDAP account for root: cn=admin,ou=people,dc=dev,dc=local
     LDAP root account password: <just hit enter>
     

   • libpam-ldap

     Allow LDAP admin account to behave like local root? No
     Does the LDAP database require login? No
     

2. Reconfigure libpam-runtime and disable LDAP Authentication:

   dpkg-reconfigure libpam-runtime
   

3. Configure kstart, add the following to /etc/inittab (It will check every 10 minutes of the Kerberos ticket needs to be renewed and set the ticket lifetime to 24 hours:

   KS:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h
   

   Force init to reload configuration:

   kill -HUP 1
   

   Ensure /tmp/krb5cc_0 file is created:

   ls -lh /tmp/krb5cc_0
   

4. Kerberise libnss-ldap (file /etc/libnss-ldap.conf), ensure the following:

   base dc=dev,dc=local
   uri ldap://ldapk1.dev.local/
   ldap_version 3
   rootbinddn cn=admin,ou=people,dc=dev,dc=local
   
   # Use SASL and GSSAPI and where to find the 
   # Kerberos ticket cache.
   use_sasl        on
   sasl_mech       gssapi
   krb5_ccname FILE:/tmp/krb5cc_0
   

5. Set defaults for LDAP clients (file /etc/ldap/ldap.conf). Note client configuration changes if ldap is configured via SSL (see here).

   BASE    dc=dev,dc=local
   URI     ldap://ldapk1.dev.local/
   SASL_MECH GSSAPI
   

6. Add LDAP support for login process by nscd (file /etc/nsswitch.conf):

   passwd:         compat ldap
   group:          compat ldap
   shadow:         compat ldap
   

7. Restart Name Service Cache daemon:

   /etc/init.d/nscd restart
   

8. Configure PAM to automatically create a user home directory (file /etc/pam.d/common-session):

   session  required  pam_mkhomedir.so
   

You should be ready to login with a user created in LDAP and password set in Kerberos.

Troubleshooting

• You might experience the following error while initializing kerberos ticket in Debian Gnome desktop:

  Cannot resolve network address for KDC in realm DEV.LOCAL
  

  This somehow conflicts with avahi-daemon, you will need disable it:

  rcconf --off avahi-daemon
  

• If you are using Debian Gnome desktop, have a look at Troubleshooting: dbus-daemon nss_ldap failed to bind to LDAP server, that you can find here.