NFSv4: is KRB needed???

Aleksandar Milivojevic amilivojevic at
Thu Jan 6 14:52:09 UTC 2005

Damir Dezeljin wrote:
> I guess that the problem is related to KRB (Kerberos-5). My authentication
> backend is OpenLDAP. I don't want to change.
> Do I really need KRB to use NFSv4? If yes ... is it posible to use data
> from OpenLDAP for KRB?

I can't answer your first question.

As for your second qestion, getting Kerberos and OpenLDAP to work 
together is simple.

There's apperently two ways of doing it.

First approach is to let Kerberos handle authentication, and use LDAP 
for everything else.  Using this approach, you can use either Kerberos 
or LDAP to check passwords (in later case, LDAP server will check 
password against Kerberos for you).  Check this page for some hints:

In short (plus some hints not present on that page), you setup Kerberos 
as usual, define users (now called principals) and so on.  I will assume 
that you have setup /etc/krb5.conf and placed key for 
host/ at YOUR.KRB.REALM.COM into /etc/krb5.keytab 
file as part of this setup on your LDAP server.

On your OpenLDAP server, create file /usr/lib/sasl2/slapd.conf, and 
place single line in it:

pwcheck_method: saslauthd

(or you can simply copy existing Sendmail.conf file).

Edit /etc/sysconfig/saslauthd file and make sure this two are defined as 


Enable saslauthd and start it:

# chkconfig saslauthd on
# /etc/init.d/saslauthd start

Then in your LDAP database, instead of placing passwords in userPassword 
attribute, you place something like this (note that by convention, realm 
names should always be uppercase, and rembmer that Kerberos names are 
case sensitive):

userPassword: {SASL}username at YOUR.KRB.REALM.COM

When slapd encounters this in userPassword attribute, it will connect to 
saslauthd, and saslauthd will check the password against your Kerberos 
realm (based on the config from /etc/krb5.conf).  If using MIT 
implementation, you must have key for 
host/ at YOUR.KRB.REALM.COM principal in 
/etc/krb5.keytab file (this file should be readable only by root).

You can also define ldap principal 
(ldap/ at YOUR.KRB.REALM.COM), place key for it in 
/etc/openldap/ldap.key on your LDAP server (make the file readable only 
by ldap user), and place "KRB5_KTNAME=/etc/openldap/ldap.keytab" in 

It is also possible to go the other way around, and use OpenLDAP as 
store for Kerberos (you'll need krb5-kdc.schema included in your 
slapd.conf file).  I've never done that, but a bit searching on the web 
should help you.

Aleksandar Milivojevic <amilivojevic at>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the users mailing list