NSS does not deal with authentication, it just looks up names. It is up to PAM (pluggable authentication module) to handle authentication. To do this, you need to install the libpam-krb5 package on a client machine that will use kerberos for authentication. You will also need the krb5-user. Next, copy “/etc/krb5.conf” from the functional kerberos server to the client at the same path.
Now you need to edit a few configuration files. In “/etc/pam.d/common-account”, it should read as follows:
In “/etc/pam.d/common-auth”, it should be like this
In “/etc/pam.d/common-password”, it should be like this
In “/etc/pam.d/common-session”, it should be like this
To test this, we need first create a principle newbie in Kerberos, use kadmin (remotely, remember to authenticate as root/admin) or kadmin.local (on the machine running the kerberos KDC server) to do this. Make sure you remember the password for newbie as a principle. Next, log out as root and log in as newbie. If all is configured properly, the authentication should succeed. However, because the newbie home directory has not been set up, login will complain that “No directory, logging in with HOME=/”.
Next, as newbie, execute the following compound command:
It should show that the newly created file belongs to newbie.