On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote:
> Hi,
> 
> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations.
> Sometimes when the user logs in, or unlocks his workstation the
> users kerberos keytab is not created or updated.

You mean credential caches rather than keytabs, right?

How are pam_ldap and pam_krb5 combined in your configuration?

Is pam_ldap being used for account management, or is it also being used
to check passwords?  If pam_krb5 isn't verifying the password, it won't
obtain credentials which it can use to populate a credential cache when
the user's session is opened, so it won't try to create one.

> Often, just locking the screen with the screensaver and unlocking
> again creates or updates the keytab file.
> 
> I've had a look at /var/log/secure without getting any smarter.

What gets logged to /var/log/secure when things aren't working right?

Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam"
subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to
save messages with priority=debug) and share the debug messages you get
when things aren't working?

Nalin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to