This is a page about how to setup a client with nfs4, kerberos, and secure ldap. I have tested it with Debian 7 and 8, but I don't have production experiences with Debian 8.

The setup for the server is described here:

Remark: this page uses libnss-ldap, but the release notes advices to replace that with libnss-ldapd: I have tried libnss-ldapd once with Debian 8, but it did not work, so I use libnss-ldap at the moment.

First of all, you need a correct FQDN hostname. When you did the setup correct, the FQDN hostname will allready be correct. If you give the command "hostname --fqdn" this should give something like "" and not only "pc001". You can change the hostname in /etc/hostname, put the short name there (e.g. "pc001"), After changing it you must run /etc/init.d/ and logout and login, or reboot. You can change the domain-part in /etc/hosts. You need there a line like:   pc001

where "pc001" is the hostname of the machine, and "" is your domain. Every machine needs an unique name.

This setup assumes that there is a machine-key for this machine created on the server.

Further it assumes that you have an admin account and a normal user account on the server, if not, read the part on the end of this page.

Client setup:

# become root:
su -

# check your hostname if it's correct. When not, see the part at the begin of the howto
hostname --fqdn

# First set variables, and ask for some
read -p "Server with Kerberos and LDAP, something like '' : " SERVER

read -p "Admin username on the server, something like 'john' : " ADMIN

HOST=$(hostname --fqdn)
REALM=$(echo "${SERVERDOMAIN}" | tr '[:lower:]' '[:upper:]')

# install some packages
DEBIAN_FRONTEND=noninteractive apt-get install ntp nscd krb5-user krb5-doc libpam-krb5 ca-certificates nfs-common rpl

DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends libnss-ldap

# Increase minimal UID in for kerberos accounts accepted by PAM
cd /etc/pam.d/
sed -i '/[^#].*pam_krb5/s/minimum_uid=1000/minimum_uid=2000/' \
    common-auth common-session common-password common-account

# Configure LDAP
cat <<EOF >/etc/ldap/ldap.conf
URI ldaps://${SERVER}
TLS_CACERT /etc/ssl/certs/CAself-cert.pem

# Activate LDAP in name service switch
sed -i 's/compat/files ldap/' /etc/nsswitch.conf

# Copy /etc/ssl/certs/CAself-cert.pem from the server to the client
# in the same directory, e.g. if you have an account on the server.
# (there no real need to do this in a secure way)
scp $ADMIN@"${SERVER}":/etc/ssl/certs/CAself-cert.pem /etc/ssl/certs

# configure name service switch, for Ubuntu you need to change /etc/ldap.conf!
cat <<EOF >/etc/libnss-ldap.conf
base ${LDAPROOT}
uri ldaps://${SERVER}
ldap_version 3
scope sub

# Configure kerberos, ticket_lifetime is in minutes
cat <<EOF >/etc/krb5.conf
        default_realm = ${REALM}
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        ticket_lifetime = 525600
        rdns = false
        $REALM = {
                kdc = ${SERVER}
                admin_server = ${SERVER}
        .$DOMAIN = ${REALM}
        krb4_convert = true
        krb4_get_tickets = false
     admin_server = SYSLOG:INFO:DAEMON
     default = SYSLOG:INFO:DAEMON[logging]

# Download the machine-key to /etc/krb5.keytab. When this is not possible this way,
# look at the end of this page for another way.
kadmin -p $ADMIN/admin -q "ktadd nfs/$(hostname --fqdn)"

# configure the NFS init script for the daemons
sed -i 's/^ *NEED_GSSD=.*$/NEED_GSSD=yes/' /etc/default/nfs-common
sed -i 's/^ *NEED_IDMAPD=.*$/NEED_IDMAPD=yes/' /etc/default/nfs-common
echo 'RPCGSSDOPTS="-vv"' >>/etc/default/nfs-common

# Configure NFS4-domain for idmapd
sed -i "s/^Domain *=.*$/Domain = $SERVERDOMAIN/" /etc/idmapd.conf

# Restart daemons for NFS4
/etc/init.d/nfs-common restart

# tell fstab what you want to mount
mkdir /mnt/home
echo "$SERVER:/home /mnt/home nfs4  rw,sec=krb5i,auto,_netdev 0 0" >>/etc/fstab
mount -a

# if everything works fine, you can use the /home, and not /mnt/home/
umount /mnt/home
rpl "/mnt/home" "/home" /etc/fstab

# in many cases you want to change the umask, so normal users will give write access for the group.
# see "man pam_umask" or for more information.
echo -e "\nsession optional umask=0002" >> /etc/pam.d/common-session

# in many cases you want to say that all users can use usb and write cd's:
echo "
" >> /etc/security/group.conf
echo "
Name: Group membership granted at login
Default: yes
Priority: 0
Auth-Type: Additional
" > /usr/share/pam-configs/group
pam-auth-update --package
# this gives an error about line 689 and 690 of pam-auth-update. Not sure.

What to do when you don't want that the person who install's the client has an admin account on the server? Or when you don't want ssh access on the server? Or when the server is a slave, and so read-only?

# On the server or master-server you can do this to get the key of a machine
kadmin.local -q "ktadd -k pc1.keytab nfs/pc1.EXAMPLE.COM"

# You have to find a secure way to bring the file to the client-machine.

# On the client you can do this to to copy the key to the right place:
mv pc1.keytab /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab

# You can publish your certificate on a website. You can download it, and copy it to the right location
mv CAself-cert.pem /etc/ssl/certs/