Found it. It was selinux related.
For some reason allow_gssd_read_tmp was off; running semanage boolean -1 allow_gssd_read_tmp solved it. [As a side note: why is this even tunable? Is there a practical usage mode of rpc.gssd that does not require access to the credential caches?] Thanks again for your help! Tom _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users