Notes for Implementing nfsv4 foreign/local name mapping via LDAP and nsswitch: Installation: -------------- (starting with clean Fedora Core 1) Parts: Cyrus-SASL OpenLDAP Kerberos 5 nss-ldap Berkley DB tcl Kerberos 5 installation: ------------------------ Grab rpm from fedora rpm repositories ftp://ftp.rediris.es/sites2/fedora.us/fedora/fedora/1/i386/RPMS.os/krb5-workstation-1.3.1-6.i386.rpm install rpm (yum could probably be used here instead to get the krb5-workstation pkgs) If you like, you can launch your own Krb5 server so you can bang on it ------------------------- yum install krb5-server kdb5_util -r LUCCA.CITI.UMICH.EDU create -s kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin" -r LUCCA.CITI.UMICH.EDU kadmin.local -r LUCCA.CITI.UMICH.EDU -q "addprinc krbadm@LUCCA.CITI.UMICH.EDU" kadmin.local -r LUCCA.CITI.UMICH.EDU -q "addprinc ldapadm@LUCCA.CITI.UMICH.EDU" tcl installation (required for db4 recompilation) ---------------------------- yum install tcl-devel Berkley DB installation (we need to fix the db4 installation on Fedora because it doesn't do POSIX threads... this is a known bug) --------------------------- Bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=91933 get db source rpms http://download.fedora.redhat.com/pub/fedora/linux/core/1/i386/os/SRPMS/db4-4.1.25-14.src.rpm Unpack source RPM Replace db4.spec file with patched one. https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=95993&action=view Recompile RPM rpmbuild -ba /usr/src/redhat/SPEC/db4.spec Force update all db4 packages Cyrus-SASL Installation: ------------------------ yum install cyrus-sasl yum install cyrus-sasl-devel yum install cyrus-sasl-gssapi yum install cyrus-sasl-md5 yum install cyrus-sasl-plain OpenLDAP installation: ---------------------- Get source from openldap.org (current version 2.1.25-20031217) Configure (assuming installation directory /usr/local/src/openldap-2.1.25) ./configure --enable-spasswd --enable-passwd --with-tls --with-cyrus-sasl --prefix=/usr/local/src/openldap-2.1.25 make depend make make test (this should succeed for all tests) #make install NSS_LDAP installation: ---------------------- get nss-ldap from cvs ./configure --enable-debug make #make install Configure LDAP: --------------- sample slapd.conf file in src/slapd.conf Place this in /usr/local/src/openldap-XXXXX/etc/openldap sample ldap.conf file in src/ldap.conf Place this in both /usr/local/src/openldap-XXXXX/etc/openldap and /etc/ Running LDAP: -------------- /usr/local/src/openldap-2.1.25/libexec/slapd -f /usr/local/src/openldap-2.1.25/etc/openldap/slapd.conf -d 15 (this gets you all the debug info) Setting up NSSWITCH ------------------- in nsswitch.conf add ldap to any line you want to resolve (passwd) so it looks like the following: passwd files ldap This will cause nsswitch to fall back to ldap to find non-local users At this point, you can try an su to atlas01 and see that it succeeds Setting up the Kerberos Keytab -------------- Create an nss_ldap/lucca.citi.umich.edu@LUCCA.CITI.UMICH.EDU principal Create a keytab file for this principal Put this keytab in krb5.keytab on the local machine You should now be able to run the following: /usr/kerberos/bin/kinit -5 -k -c /.ldap.ccache nss_ldap/lucca.citi.umich.edu && chown nscd:nscd /.ldap.ccache && chmod 0644 /.ldap.ccache If this succeeds, all is well. Add the following line to your crontab 0 */6 * * * /usr/kerberos/bin/kinit -5 -k -c /.ldap.ccache nss_ldap/lucca.citi.umich.edu && chown nscd:nscd /.ldap.ccache && chmod 0644 /.ldap.ccache This will keep your nss_ldap creds fresh. Setting up SASL Authentication ---------------- Try running the sasl2-sample-server -s nss_ldap and the sasl2-sample-client -s nss_ldap lucca.citi.umich.edu Make sure Realm is specified in krb5.conf and LUCCA.CITI.UMICH.EDU is the default realm