Success with Kerberos and LDAP!

Due to some grumbling among the users (a.k.a., family members) about the name I assigned to the DreamPlug — hard to spell, hard to type, etc., etc. — I decided to change the hostname of the device to something shorter and easier to type. I knew this could open a can of worms with configuration issues, so I was pretty careful. The one thing I wasn't sure about was the Kerberos database. Now, if you've followed along with this saga, you might wonder why I bothered to keep the never-properly-functional Kerberos setup on DreamPlug. I guess it boils down to a mix of being stubborn and sloppy. Too stubborn to admit defeat, too sloppy to clean up after myself. Anyway, to make sure the hostname change didn't cause problems that might be tricky to track down later, I decided to wipe both the LDAP and Kerberos databases. Starting fresh, I created the basic principals in Kerberos and repopulated LDAP with a starter set of data.

Now, tinkering with this old sore spot made me want to tinker with it just a bit more, and that's what I did. Tinker here, dabble there, tweak this, adjust that... And somewhere along the line, I realized I had what appeared to be a properly functioning Kerberos and LDAP setup. I switched over to my regular computer and muddled my way through telling it to use the DreamPlug for a Kerberos and LDAP server, which included changing the PAM configuration (of course). Many tweaks later, I was able to log in to that Linux box using the test account defined in LDAP with the matching password set in Kerberos. Success! I could log in both in text mode and in gdm (GNOME).

As I tweeted at the time, it's not very satisfying (from an analysis point of view) to say "and suddenly it started working." I want to be able to document exactly how I got it to work, so I can share that with others and also repeat it myself later if I end up wiping the system and starting over. Unfortunately, I don't have a clear answer. I know that it's working now, but I can't document anything specific that made it all work. If you've toyed with this sort of thing before, you know there are many configuration steps and many pieces of the puzzle to get right. I think the learning I did before helped this time around, by improving the accuracy (and therefore value) of my answers to prompts along the way. In other words, I don't think it was just dumb luck to stumble on the right combination of things, even though it sort of feels that way.

The one piece of the puzzle that I haven't worked on since achieving this success is ensuring that Samba plays nice with the Kerberos/LDAP servers. I'll get to that eventually. Right now, I have Samba working OK on its own, with the hassles of non-centralized user management. Someday, probably not soon, I'll tackle that next integration step. I'll also get around to reconfiguring the other computers on the network to use the Kerberos/LDAP services on the DreamPlug. But for now, I'm just happy with my recent successes!