Getting user info via LDAP, authenticating via Kerberos

John Koelndorfer kdorf at
Thu Mar 26 13:48:20 EDT 2009

Hello everyone,

I've got a tricky problem that's been gnawing at me for the past few 
days or so. First, a little background:

We're running an active directory setup with the usual Windows domain 
controllers (they're Windows 2000, if it matters) but users' home 
directories are stored on a Linux box running Samba. Our other Linux 
servers will need to get at these homes for various reasons. Our setup 
is fine with NFSv3, but we were looking to gain security and move up to 
NFSv4 with Kerberos authentication. NFSv4 won't allow people to access 
their home directories without a valid Kerberos ticket for their 
principal. If this could be turned off somehow, that'd be one way to fix 
this issue (all_squashing to root doesn't sound particularly appealing) 
otherwise I need users to be able to get their Kerberos ticket on login.

That works fine as long as ldap is not listed in nsswitch.conf. The 
problem is we need to use ldap to fetch user info.

So, here's a quick example in case I wasn't clear enough:
I ssh to our server using my domain credentials, kdorf and password.

If I have a local user account on that machine and ldap is *not* listed 
in nsswitch.conf, I can login using my domain password and a valid 
Kerberos ticket is fetched for me -- I get access to my home.

If I don't have a local account on that machine and ldap *is* listed in 
nsswitch.conf, I can login using my domain password but `klist` shows 
that I do *not* have a valid Kerberos ticket. Home directory access is 

I need to have valid Kerberos tickets fetched for ldap users. 
Alternatively, I would like NFSv4 to not sweat people about Kerberos 
tickets to access their homes. Is this possible?

Thanks in advance for your help.

More information about the Kerberos mailing list