Kerberos

From Buffalo Lab, Inc.

Edit the local kerberos database

 kadmin -l

Create principal for server

 kadmin -l add -r host/hostname.seneca.buffalolab.org

Export keytab for server

 kadmin -l ext_keytab -k /tmp/hostname.keytab host/hostname.seneca.buffalolab.org

Create principal for member

 kadmin -l add username

NSS/LDAP

On Kerberos admin server

 kadmin -l add -r nssldap/hostname.seneca.buffalolab.org
 kadmin -l ext_keytab -k /tmp/nssldap.keytab nssldap/hostname.seneca.buffalolab.org
 scp /tmp/nssldap.keytab root@hostname:/etc/nssldap.keytab
 rm /tmp/nssldap.keytab

Debian 5

On client server

 chmod 0600 /etc/nssldap.keytab
 apt-get install libsasl2-modules-gssapi-mit libnss-ldap nscd

NOTE: libsasl2-modules-gssapi-heimdal does not support krb5_ccname

Create a cronjob to run at least daily

 kinit -t /etc/nssldap.keytab -k -c /etc/.ldapcache nssldap/hostname.seneca.buffalolab.org
 chmod 0644 /etc/.ldapcache

/etc/libnss-ldap.conf

 uri ldap://ldap0.seneca.buffalolab.org
 base dc=buffalolab,dc=org
 ldap_version 3
 ssl start_tls
 tls_checkpeer no
 use_sasl on
 nss_map_attribute cn displayName
 krb5_ccname FILE:/etc/.ldapcache

/etc/nsswitch.conf

 ...
 passwd: files ldap
 group: files ldap
 ...

To test setup, use the getent and id commands

 server:~# getent passwd poolecl
 poolecl:*:10007:100:Chris:/home/poolecl:/bin/bash
 server:~# getent passwd mlehner
 mlehner:*:10000:100:Matt:/home/mlehner:/bin/sh
 server:~# getent group users
 users:x:100:
 server:~# id mlehner
 uid=10000(mlehner) gid=100(users) groups=100(users)