Login using Kerberos and LDAP

Hi
I try to setup a server with LDAP and Kerberos and login the users using the Kerberos accounts.
The server is Debian 10 with openLDAP and Kerberos krb5.
The client is opensuse 15.1.
I am able to login to Kerberos from the client with kinit but I am not able to setup the client so that I can login to the client using the Kerberos account.
I am not sure if I am using a wrong approach or if there is a problem on the server or client.
I currently try to configure sssd on the client. As based on the guidance I found in the internet I think that is the correct way.

What I want is to be able to login to the clients with the kerberos account and then automatically logon to the servers etc. The users also need to be able to logon when the laptops are offline.

Any tips where to start?
What needs to LDAP and Kerberos to provide as settings?
How to locate the problem on the client?
Dose anyone a complete guidance for this setup. I always found pieces and most for a AD-server.

Thanks

The openSUSE LDAP documentation including configuring SSSD

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha-security-ldap.html

TSU

Thanks TSU

I checked the documentation. It helped a bit. But the command dsidm don’t work and I didn’t find the package for it. But I currently not sure if the sssd configuration is the problem.
On the client I get the log entry
sssd [be] : Backend is offline

But when I check the server I see that a connection from the client is coming in and it looks like the connection is accepted. But it shows an error type=sudohost

Feb 24 15:17:34 srv-t-authsrv slapd[614]: conn=1013 op=2 SRCH base=“dc=site1,dc=escher-greb,dc=ch” scope=2 deref=0 filter="(&(uid=gian)(obj
Feb 24 15:17:34 srv-t-authsrv slapd[614]: conn=1013 op=2 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory log
Feb 24 15:17:34 srv-t-authsrv slapd[614]: conn=1013 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Feb 24 15:19:46 srv-t-authsrv slapd[614]: conn=1013 op=3 UNBIND
Feb 24 15:19:46 srv-t-authsrv slapd[614]: conn=1013 fd=24 closed
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 fd=24 ACCEPT from IP=192.168.40.133:51806 (IP=0.0.0.0:389)
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=)"
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 op=0 SRCH attr=
altServer namingContexts supportedControl supportedExtension supported
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 op=1 SRCH base=“dc=site1,dc=escher-greb,dc=ch” scope=2 deref=0 filter="(&(uid=gian)(obj
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 op=1 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory log
Feb 24 15:19:51 srv-t-authsrv slapd[614]: conn=1014 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Feb 24 15:19:56 srv-t-authsrv slapd[614]: get_filter: conn 1014 unknown attribute type=sudoHost (17)
Feb 24 15:19:56 srv-t-authsrv slapd[614]: get_ssa: conn 1014 unknown attribute type=sudoHost (17)
Feb 24 15:19:56 srv-t-authsrv slapd[614]: get_ssa: conn 1014 unknown attribute type=sudoHost (17)
Feb 24 15:19:56 srv-t-authsrv slapd[614]: get_ssa: conn 1014 unknown attribute type=sudoHost (17)
Feb 24 15:19:56 srv-t-authsrv slapd[614]: get_ssa: conn 1014 unknown attribute type=sudoHost (17)
Feb 24 15:19:56 srv-t-authsrv slapd[614]: get_ssa: conn 1014 unknown attribute type=sudoHost (17)
Feb 24 15:19:56 srv-t-authsrv slapd[614]: conn=1014 op=2 SRCH base=“dc=site1,dc=escher-greb,dc=ch” scope=2 deref=0 filter="(&(?objectClass=
Feb 24 15:19:56 srv-t-authsrv slapd[614]: conn=1014 op=2 SRCH attr=objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRu
Feb 24 15:19:56 srv-t-authsrv slapd[614]: conn=1014 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Feb 24 15:21:45 srv-t-authsrv slapd[614]: conn=1014 op=3 UNBIND
Feb 24 15:21:45 srv-t-authsrv slapd[614]: conn=1014 fd=24 closed

Any suggestions what the problem might be?

Solved
I still to figure out the details of the configuration but it is working.

Looks like the problem was ldap_schema: don’t use rfc2307bis but rfc2307 as bis is for AD and causes issues with kerberos.

The other problem was the authentication of the ldap client. I had enabled the login with kerberos but didn’t know the setting for sssd. The following settings of the sssd.conf solve the problem

ldap_sasl_mech = gssapi
ldap_sasl_authid = host/machine.fqdn@REALM
ldap_krb5_keytab = /etc/krb5.keytab