Login using Active Directory in Linux using Kerberos 5

If you want "the easy way" I had some good experiences with system-config-authentication and Winbind doing it the GUI way. Obviously, this is not expressly Kerberos, so downvote me appropriately if you feel inclined. You can do Winbind, but it also expressly allows LDAP if that fits your requirements better. I get an ominous red error about NSS-LDAP libraries,

The /lib64/libnss_ldap.so.2 file was not found, but it is required for LDAP support to work properly. Install the nss-pam-ldapd package, which provides this file.

but I am sure you can install that with yum with a minimal amount of effort. You say you want Kerberos, but than say only NIS/LDAP is allowed. So why not just access AD as if it were LDAP. That is definitely possible in my experience. It also gives you the option of configuring Kerberos. See the screenshot.

Hint, hint, it is Fedora 15, not Fedora Core, and has not been "Core" for quite a while. I will not make jokes about the bloat in relation to the name change (as a pretty dedicated Fedora user myself).

It's one thing to be authenticated by kerberos, it's another thing to be able to login. To login, you need:

1. Valid authentication (partially done: provided by kerberos. Must check if pam login/auth considers this to be enough)
2. Valid userid and groupid (normally provided by winbind, likewise, ldap, Centrify, AD services for unix. Or locally in the /etc/passwd, /etc/group files)
3. Valid lookup entries and order in /etc/nsswitch.conf, for user, and group.
4. Valid shell and home (normally pre-created, or automount)

Note1: Since you can do getent passwd but not getent group, I suspect you are using the Active-Directory Services for Unix map to LDAP approach. Do you have valid gid set inside for Domain\Domainusers? AFAIK, Kerberos does not provide (or check) for groups. Able to see uid entries means LDAP is mapping properly, but gid entries may not be in LDAP.

Note2: There is also a limit to the number of entires LDAP can return in a single query, and possibly some time needed to pull the results. Did you wait long enough? Can you check the entries specifically, like getent passwd user1, getent passwd Domain\\user1, getent group domain-groupname-shown-in-getent-passwd. This should bypass the lookup time, or even timeout.

Which version of AD are you using? Depending on the version, extensions to the standard schema need to be installed or enabled. Users authenticating to linux systems will need additional parameters set in AD.

Also, it's hard to give help without seeing your config files and without knowing what specific error message you're seeing in the auth logs. If you're able to successfully get a ticket, that probably means your kerberos settings are correct. But, pam, nsswitch, and ldap must all be configured correctly as well.

tcpdump can be very helpful in these situations as well. Sometimes the error messages are not very helpful and it can be very useful to observe the conversation on the wire directly.

Have you enabled Kerberos login within PAM?

Look in /etc/pam.d/system-auth for a line that says "auth sufficient pam_krb5.so" (or something along those lines). If you don't see it, run authconfig --enablekrb5 --update, make sure a line like that appears in the file, and then try to log in again.