The short answer
Be sure you have a valid /etc/krb5.keytab
with your host/*
principal, e.g. doing:
rpi ~$ sudo kadmin -p user/admin
kadmin: addprinc -policy host -randkey host/<hostname>.home.hoeft-online.de
kadmin: ktadd -k /etc/krb5.keytab host/<hostname>.home.hoeft-online.de
kadmin: q
Disable caching daemon nscd
if available with sudo systemctl disable --now nscd.service
. Don't confuse it with nslcd
. Then check Proxy Authorization:
rpi ~$ sudo apt install libsasl2-modules-gssapi-mit ldap-utils
rpi ~$ kinit -p ingo
rpi ~$ ldapwhoami -Y GSSAPI -H ldap://kdc-master.home.hoeft-online.de -D "uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de"
SASL/GSSAPI authentication started
SASL username: ingo@HOME.HOEFT-ONLINE.DE
SASL SSF: 256
SASL data security layer installed.
dn:uid=ingo,ou=people,ou=home,dc=hoeft-online,dc=de
Then install:
rpi ~$ sudo apt install libnss-ldapd kstart
Just accept the default settings in the installation dialog. We overwrite them with these configuration files. Use them with your settings:
nslcd.conf
~$ sudo cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# Logging options, default is info
#log syslog debug
# The location at which the LDAP server(s) should be reachable.
uri ldap://kdc-master.home.hoeft-online.de
# The search base that will be used for all queries.
base ou=home,dc=hoeft-online,dc=de
# The DN to bind with for normal lookups.
binddn uid=proxyuser,ou=people,ou=home,dc=hoeft-online,dc=de
# Timing/reconnect options
# You may optimize this for your environment
#bind_timelimit 10
timelimit 30
idle_timelimit 3600
reconnect_sleeptime 2
#reconnect_retrytime 10
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# SASL options
sasl_mech GSSAPI
krb5_ccname /var/run/nslcd/nslcd.tkt
# Other options
nss_initgroups_ignoreusers ALLLOCAL
nsswitch.conf
~$ cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Restart the service and check. Be sure ingo has no local unix account in /etc/passwd
.
rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ getent passwd | grep ingo
setup PAM login with Kerberos authentication:
rpi ~$ sudo apt install libpam-krb5
rpi ~$ sudo pam-auth-update
# select what you need
[*] Kerberos authentication
[*] Unix authentication
[*] Create home directory on login
# check
rpi ~$ kdestroy
rpi ~$ su -l ingo
password:
ingo@rpi ~$ klist
ingo@rpi ~$ logout
rpi ~$
Install nscd caching daemon (or enable it if already available):
rpi ~$ sudo apt install nscd
That's it.
Some more details
It took me several days to examine what's wrong with the setup. For troubleshooting you can increase logging to debug output, on the LDAP server to olcLogLevel: any
:
slapd ~$ echo 'dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any' > /tmp/in.ldif
slapd ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/in.ldif
On the client device just uncomment the debug log line in /etc/nslcd.conf
.
Restart the service and disable caching daemon nscd
(don't mix up with nslcd
) because nscd
may confuse testing:
rpi ~$ sudo systemctl restart nslcd.service
rpi ~$ sudo systemctl disable --now nscd.service
Don't forget to revert debug logging and enable nscd when finished. Executing getent passwd
you will see in the client log that it not even starts with GSSAPI client step 1
, nothing. I realized that the nslcd.service does not get any credentials in /var/run/nslcd/nslcd.tkt
for its authentication. Poking around I found in /etc/default/nslcd
that there has to start /usr/bin/k5start
but that isn't installed and nowhere documented. So just install it with:
rpi ~$ sudo apt install kstart
Now the log shows that GSSAPI starts with step 1 but then aborts.
Most confusing is the presented setup dialog on installing libnss-ldapd
. It's asking for entries that are wrong for my setup with GSSAPI in particular the distinguished name for the proxy user (sasl_authzid). This is not usable. Instead you have to use the normal binddn. Just accept the default settings in the dialog setup and afterwards use the config files from the short answer.
I use systemd-networkd together with systemd-resolved. With the systemd resolver I got an annoying delay of 60 seconds on login that wasn't acceptable. The journal -b
shows me that querying the ldap server for group membership timed out after 60 seconds:
Feb 26 01:25:45 titan systemd[1]: Reached target Network is Online.
Feb 26 01:25:45 titan systemd[1]: Starting LSB: LDAP connection daemon...
Feb 26 01:25:45 titan nslcd[441]: Starting Keep alive Kerberos ticket: k5start.
Feb 26 01:25:45 titan nslcd[455]: version 0.9.10 starting
Feb 26 01:25:45 titan nslcd[455]: accepting connections
Feb 26 01:25:45 titan nslcd[441]: Starting LDAP connection daemon: nslcd.
Feb 26 01:25:45 titan systemd[1]: Started LSB: LDAP connection daemon.
Feb 26 01:25:46 titan login[435]: pam_krb5(login:auth): authentication failure; logname=local uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Feb 26 01:25:46 titan login[435]: pam_unix(login:session): session opened for user local by LOGIN(uid=0)
Feb 26 01:25:46 titan systemd[1]: Created slice User Slice of UID 65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Runtime Directory /run/user/65533...
Feb 26 01:25:46 titan systemd-logind[428]: New session 1 of user local.
Feb 26 01:25:46 titan systemd[1]: Started User Runtime Directory /run/user/65533.
Feb 26 01:25:46 titan systemd[1]: Starting User Manager for UID 65533...
Feb 26 01:26:11 titan login[435]: pam_systemd(login:session): Failed to create session: Connection timed out
Feb 26 01:26:46 titan dbus-daemon[426]: [system] Connection has not authenticated soon enough, closing it (auth_timeout=30000ms, elapsed: 60060ms)
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> failed to bind to LDAP server ldap://kdc-master.home.hoeft-online.de: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: [8b4567] <group/member="local"> no available LDAP server found: Can't contact LDAP server: Invalid argument
Feb 26 01:26:46 titan nslcd[455]: GSSAPI client step 1
Feb 26 01:26:46 titan systemd[468]: pam_unix(systemd-user:session): session opened for user local by (uid=0)
Feb 26 01:26:46 titan nslcd[455]: [3c9869] <group/member="local"> connected to LDAP server ldap://kdc-master.home.hoeft-online.de
Feb 26 01:26:46 titan systemd[1]: Started User Manager for UID 65533.
Feb 26 01:26:46 titan systemd[1]: Started Session 1 of user local.
After days of error hunting I found that option nss_initgroups_ignoreusers ALLLOCAL
in /etc/nslcd.conf
fixed this error. This option prevents group membership lookups through LDAP of non-LDAP users. It means that local registered users like system accounts will not have a lookup to the LDAP server.