[CentOS] Single sign-on help requested

Thu Aug 23 12:54:12 UTC 2007
Scott Ehrlich <scott at MIT.EDU>

I have a RHEL5 Server and some dual-boot XP/CentOS 5 systems (Linux 
systems all 64-bit).   All Linux is out-of-box, with all packages, minus 
international languages, installed.  No patching has been done.

On the server, I selected system-config-authentication and enabled 
LDAP for User Information, Kerberos, LDAP, and SMB for Authentication, and 
Shadow and MD5 Passwords, along with Authenticate system accounts by 
network services for Options.

All machines are on an isolated LAN, with no DNS server (I could always 
enable and configure DNS on the server if it helps the cause).

I also don't know if it matters, but the server is running the 
virtualization kernel (xen), but the clients are not.

I only have LDAP service enabled on the server.   Kerberos services are 
enabled on both client and server.

I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and 
have the clients looking to the RH box for authentication.

I also have the firewall enabled, but am letting kerberos and ldap ports 
through as tcp.

During a login test, /var/log/messages on the client showed:

lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server 
ldap://192.168.1.100: Can't contact LDAP server

lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32 
seconds)...

lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server 
ldap://192.168.1.100: Can't contact LDAP server

lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server...

lin1 xfs: ...


During boot time, Starting system message bus: [long pause] then error 
messages about DB_CONFIG and /var/lib/ldap, the usual cannot find 
DB_CONFIG in /var/lib/ldap, showing the example.com instead of my 
customized ldap settings, etc.

I've checked openldap.org, but I figured if the configuration appears to 
be simplified via an included GUI, I shouldn't have much trouble gettigns 
things going.

Anyway, what am I missing?   Anything special RH 5 is doing compared to 
the openldap docs?

Both servers have been rebooted since adding the respective ports in the 
firewall.

The goal is a to permit my test user, created on the server, to sit at a 
workstation, boot into either Linux or XP, and get their home directory.

Ideally, the server only needs to consist of one account for them, which 
they get upon login on the workstation.

I want to highly restrict _any_ third-party tools/apps/etc.   I will be 
happy to take suggestions and leads, but I want to try and rely on what RH 
has provided.

Thanks for any insight/help.

Scott