[HELP] Configuring Kerberos/LDAP for shared logins across a domain/realm?

I’ve been trying to get Kerberos and LDAP working such that I can share users between multiple machines on a network, similar to how a traditional Windows AD domain would work, except in my case all machines will be Linux.

I’ve got as far as setting up Kerberos on the server and a test client with the domain/realm TEST(DOT)RHYSPERRY(DOT)COM. I can test it’s working as I can use kinit on the test client to get a ticket for a user principal created on the server.

I’m currently however struggling how I would get this configured to the point where I can create a user on the server, and then I can fully log in as that user from the client machine e.g. from gdm. I’ve had a look around, and most articles seem to suggest that LDAP can be used for this, however I’ve so far been unsuccessful in configuring LDAP to work with Kerberos. The Arch Wiki article for LDAP doesn’t mention Kerberos at all.

I also recognize that I might want to spin up another server (the entire network and machines are virtual for now while I test things) for storage e.g. for an NFS /home mount.

Any tips or pointers are appreciated. I’ve not been able to find any articles that cover the entirety of the process from start to finish, so it’s kinda hard to understand how every bit fits together.

Both the server and all the clients will be running Arch. (yes I know, but it’s what I’m familiar with and what I’m comfortable with)

Note: The domain redirects to a rickroll from the internet (I forgot about that), but I’m only using kerberos on my local network so it’s fine

i would hazard a guess that the machine you are using does not have BIND9 or any sort of DNS server currently configured on it. Even if you set up LDAP you need the network and DNS to be able to point where that stuff is so the server can respond. This guide has SAMBA also but look through how and where all the domain stuff is set up, you will need it configured rather SAMBA or LDAP (or both) is in use. KERBEROS will NOT respond unless DNS is SPOT ON!

the ‘Fixing all the configs’ section should be the most help, probably. (though they may have different locations in ARCH)

1 Like