Linux Kerberos and LDAP authentication against a Windows domain controller
The diagram and config files included with this document are for setting up MIT-Kerberos for authentication and NSS_LDAP for name services. This document assumes that you have Services for Unix 3.5 Schema extensions installed on your Windows domain controller.
krb5.conf and ldap.conf will need to be tailored to your environment.
Once you have successfully configured kerberos and ldap you should be able to logon to your linux machine using a Windows account and password.
Prefered order of setup
1. Compile MIT-KRB5
2. Compile PAM_KRB5
3. Compile OpenLDAP
4. Compile NSS_LDAP
Configuration
1. MIT-KRB5
The defaults are fine with the Gentoo ebuild. For compiling from source use ./configure --enable-shared --without-krb4 --enable-dns [--prefix=/usr/local/mitkrb5]
Once built just copy the krb5.conf file into /etc
2. PAM_KRB5
The defaults are fine with the Gentoo ebuild. For compiling from source use ./configure --with-krb5=/usr --without-krb4 --with-pamdir=/lib/security [--prefix=/usr]
Once built update /etc/pam.d/system-auth with the PAM_KRB5 entries.
3. OpenLDAP
I added the kerberos USE flag on Gentoo. For compiling from source use ./configure --with-kerberos --disable-slapd --disable-slurpd
4. NSS_LDAP
The defaults are fine with the Gentoo ebuild. For compiling from source use ./configure --with-ldap-lib=openldap --enable-schema-mapping --enable-paged-results --enable-rfc2307bis
Once built just copy ldap.conf into /etc
Troubleshooting
1. MIT-KRB5
Use kinit and klist to look at the tickets
2. PAM_KRB5
Add the word debug to the entries in system-auth. Look in /var/log/messages for errors.
3. OpenLDAP
ldapsearch. Also use ldapsearch java utility to browse active directory from the machine.
4. NSS_LDAP
Add the following to /etc/ldap.conf :
debug 9
logdir /var/log/ldap_nss
You should be able to 'id' users in active directory that have unix attributes.
You may need to reboot after putting the ldap entry into /etc/nsswitch.conf to make it work.
Extras
You can setup OpenSSL to create an encrypted tunnel for the authentication between NSS_LDAP and Active Directory. The above uses a simple bind with an administrative account and password specified in /etc/ldap.
SASL could be configured so that the encryption method for the SSL tunnel is auto negotiated.
The deamons on the server could be set to use kerberos. Alongside kerberos aware windows clients like putty this would then enable single sign on.
Samba 3 could be installed. The server component can be configured with security = ADS and would use NSS_LDAP as the idmap backend for username mapping.