On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote:
> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations.
> Sometimes when the user logs in, or unlocks his workstation the
> users kerberos keytab is not created or updated.
You mean credential caches rather than keytabs, right?
How are pam_ldap and pam_krb5 combined in your configuration?
Is pam_ldap being used for account management, or is it also being used
to check passwords? If pam_krb5 isn't verifying the password, it won't
obtain credentials which it can use to populate a credential cache when
the user's session is opened, so it won't try to create one.
> Often, just locking the screen with the screensaver and unlocking
> again creates or updates the keytab file.
> I've had a look at /var/log/secure without getting any smarter.
What gets logged to /var/log/secure when things aren't working right?
Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam"
subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to
save messages with priority=debug) and share the debug messages you get
when things aren't working?
Freeipa-users mailing list