Hi 😀 !
Here follows some information about the really well-integrated Kerberos client utilities in the NetBSD base system. I used them when trying to configure NetBSD 8.1 (I haven't checked the new 9.0 release yet) as a Kerberos client.
First, it is worth noting that there is more than one implementation of Kerberos: MIT and Heimdal are maybe the most common ones. They should be api-compatible, as I was suggested in the IRC channel #netbsd.
The implementation of Kerberos natively used in NetBSD is Heimdal: the base system already includes an essential set of utilities like kinit(1), klist(1), kadmin(8), ktutil(8). If the MIT Kerberos is needed, several packages are available in the pkgsrc repository.
Using only the base system, with just the creation of an appropriate
/etc/krb5.conf file and the necessary lines in
/etc/hosts, a NetBSD host is immediately able to obtain a Ticket-Granting-Ticket as a Kerberos client. I used it against a MIT Kerberos server and I found no compatibility issues. This has been quick and very, very useful.
I found instead some issues when trying to create a keytable in the NetBSD client. For example,
kadmin -p admin_user suddenly shows the
admin_user admin prompt, which seems very odd; then, for some of the available commands, it asks for the password and does not return the prompt after entering the correct password. The same happens with
ktutil get -p admin_user host/fqdn.of.the.client.
Note that I can not exclude that this is due to something I forgot (or did not know) to configure.
However, a keytab created with MIT Kerberos utilites and then copied into NetBSD is correctly read with
ktutil -k keytab_file list and is perfectly suitable, for example to receive ssh connections.
If ssh authentication through a Kerberos user must be provided in a NetBSD client, the
/etc/pam.d/ files already include a line for the
pam_krb5.so module: so, no configuration for PAM is needed. I installed from pkgsrc the package
pam-krb5, which includes
pam_krb5.so, but this file is already in the base system in
/usr/lib/security/ and maybe there is no need for the package. It is instead necessary cy2-gssapi, which depends on
cyrus-sasl (needed as well), for GSSAPI authentication, in addition to the correct configuration lines both in
/etc/ssh/sshd_config (for the server) and
/etc/ssh/ssh_config (for the client).
In conclusion, the NetBSD 8.1 base system includes some executables and libraries which make a Kerberos client configuration almost immediate. Thanks to those who tailored the base system.
The original message is from the @netbsd-users mailing list: I hope it can also be useful here, as well.