Getting user info via LDAP, authenticating via Kerberos

Javier Palacios javiplx at
Thu Mar 26 17:02:06 EDT 2009

On Thu, Mar 26, 2009 at 6:48 PM, John Koelndorfer <kdorf at> wrote:
> So, here's a quick example in case I wasn't clear enough:
> I ssh to our server using my domain credentials, kdorf and password.
> If I have a local user account on that machine and ldap is *not* listed
> in nsswitch.conf, I can login using my domain password and a valid
> Kerberos ticket is fetched for me -- I get access to my home.
> If I don't have a local account on that machine and ldap *is* listed in
> nsswitch.conf, I can login using my domain password but `klist` shows
> that I do *not* have a valid Kerberos ticket. Home directory access is
> denied.

You are basically looking at the wrong place.
To use or not kerberos ticket you need to look at pam configuration,
and be careful to disable pam_ldap. If your distro is RedHat derived,
it is quite easy to see either with authconfig-tui or the
Administration->Authentication menu. User information is clearly
separated from authentication. LDAP is in both places, but kerberos
only in one. I don't know a similar tool for debian distros (there was
a helper for ubuntu which I cannot find right now), and lack expertise
enough for other distros.

The distro you are using is an important detail that could help you
clarify that.

The NFSv4, might introduce differences, but for the other parts maybe
this reference could help you a bit

Javier Palacios

More information about the Kerberos mailing list