There are also system-config tools to simplify this procedure.

vi /etc/sysconfig/network # set HOSTNAME to fqdn, here rhel5.fluxcoil.net

cat >/etc/resolv.conf <<EOT
domain fluxcoil.net
nameserver 10.0.22.19
EOT

cat >/etc/openldap/ldap.conf <<EOT
URI ldap://fed10.fluxcoil.net
BASE dc=fluxcoil,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pem
EOT

scp fed10:/etc/pki/tls/cacert.pem /etc/openldap/cacerts/ # copy cacert from directory-server over:

vi /etc/ldap.conf
----------------------------------
host sid64.fluxcoil.net
base dc=fluxcoil,dc=net
pam_groupdn cn=server0,ou=logins,dc=fluxcoil,dc=net
pam_member_attribute memberUid
pam_password md5
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
----------------------------------

vi /etc/nsswitch.conf
----------------------------------
passwd:     files ldap
group:      files ldap
hosts:      files dns ldap
----------------------------------

# check it:
getent passwd
getent group

yum install krb5-workstation

vi /etc/krb5.conf
------------------
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = FLUXCOIL.NET
        default_etypes = des3-hmac-sha1
        default_tkt_enctypes = des3-hmac-sha1
        default_tgs_enctypes = des3-hmac-sha1
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes
#        permitted_enctypes = des3-hmac-sha1 rc4-hmac des-cbc-crc

[realms]
        FLUXCOIL.NET = {
                admin_server = fed10.fluxcoil.net:749
                default_domain = fluxcoil.net
                kdc = fed10.fluxcoil.net:88
        }

[domain_realm]
        .fluxcoil.net = FLUXCOIL.NET
        fluxcoil.net = FLUXCOIL.NET

[appdefaults]
        pam = {
                validate = true # yes, we want mutual authentication
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }
        kinit = {
                forwardable = true
        }
------------------

# on the ssh-server: generate principal for host/ssh
kinit chorn/admin
kadmin
> addprinc -randkey host/rhel5.fluxcoil.net
> ktadd -k /etc/krb5.tab host/rhel5.fluxcoil.net
# configure pam, i.e. call system-config-authentication
# configure sshd with 'GSSAPIAuthentication yes' and 'GSSAPICleanupCredentials yes' and restart it

# now start on a client sshd with 'GSSAPIAuthentication yes' and 'GSSAPICleanupCredentials yes'
# now from some other host 'kinit user0' and you can
# ssh -o'GSSAPIAuthentication yes' -o'GSSAPIDelegateCredentials yes' user0@rhel5
# or kerberized telnet...

# debugging:
# ktutil - show principals in keytabs
# kvno - get tickets
# set the hostname to the one mentioned in the principal