On Tue, September 11, 2012 01:16, Nalin Dahyabhai wrote:
> On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote:
>> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations.
>> Sometimes when the user logs in, or unlocks his workstation the
>> users kerberos keytab is not created or updated.
> You mean credential caches rather than keytabs, right?
> How are pam_ldap and pam_krb5 combined in your configuration?
Sorry, my bad. We do not use pam_ldap, only pam_krb5.
> Is pam_ldap being used for account management, or is it also being used
> to check passwords? If pam_krb5 isn't verifying the password, it won't
> obtain credentials which it
> can use to populate a credential cache when the user's session is opened, so
> it won't try to
> create one.
>> Often, just locking the screen with the screensaver and unlocking
>> again creates or updates the keytab file.
>> I've had a look at /var/log/secure without getting any smarter.
> What gets logged to /var/log/secure when things aren't working right?
Sep 10 08:48:44 ws kcheckpass: pam_unix(kscreensaver:auth): authentication
logname=username uid=12345 euid=12345 tty=:0 ruser= rhost= user=username
Sep 10 08:48:45 ws kcheckpass: pam_krb5: error reading keytab
Sep 10 08:48:45 ws kcheckpass: pam_krb5: TGT verified
Sep 10 08:48:45 ws kcheckpass: pam_krb5: authentication succeeds for
> Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam"
> subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to save
> messages with
> priority=debug) and share the debug messages you get when things aren't
Ok, sure. There is some time in between these reports so it might take a while
to gather the results.
Freeipa-users mailing list