===== manual kerberos/ldap hookup per nscd =====
<code>
vi /etc/hosts            #ensure the partitipating boxes are in box
vi /etc/security/network #ensure HOSTNAME is fully qualified

rpm -e sssd
yum -y install krb5-workstation openldap-clients pam_ldap pam_krb5 nss_ldap

# copy configs from ipa server
scp rhel6u1a:/etc/krb5.conf /etc
scp rhel6u1a:/etc/resolv.conf /etc

kinit chorn
ldapsearch -x -b dc=fluxcoil,dc=net -h rhel6u1a.fluxcoil.net cn=chorn

# cd /etc/openldap/cacerts
# for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done

authconfig --enableldap --enableldapauth --ldapserver=rhel6u1a.fluxcoil.net --ldapbasedn="dc=fluxcoil,dc=net" \
  --enableldaptls --enablelocauthorize --enablemkhomedir --updateall


# this /etc/ldap.conf works for cleartext (for debugging):
base dc=fluxcoil,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://rhel6u1a.fluxcoil.net/
tls_cacertdir /etc/openldap/cacerts
pam_password md5

service nscd restart
chkconfig nscd on

vi /etc/pam.d/system-auth
# auth        sufficient    pam_krb5.so use_first_pass
# password    sufficient    pam_krb5.so use_authtok

# login should work now
ssh chorn@127.0.0.1 

# to be able to do kerberos password changes
vi /etc/pam.d/system-auth
# auth        sufficient    pam_krb5.so use_first_pass
# password    sufficient    pam_krb5.so use_authtok

</code>