I have the need to work on some of my systems with my LDAP/Kerberos5 user while not being connected to any network. By now I have managed to get around this by using pam-ccreds and nss-db which would locally cache user credentials.

Now there's a new approach to this whole situation: SSSD, a project introduced by Fedora.

It combines the functionality of pam-ccreds and nss-db while enhancing it with several features like multi-domain support (e.g. use several different LDAP sources for user authentication). A PAM and a NSS module ar provided while the main part of the configuration is done inside one single file: /etc/sssd/sssd.conf

My current configuration can be found as a Puppet template:  sssd.conf

The appropriate NSS configuration: nsswitch.conf

And the different PAM stage configurations, tailord for a Debian/Sid installation:

• common-account
• common-auth
• common-password
• common-session
• common-session-noninteractive

I have migrated all my systems to SSSD by now and it works like a charm, no more silly KRB5 timeouts when working offline.