On Tue, September 11, 2012 01:16, Nalin Dahyabhai wrote:
> On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote:
>> Hi,
>> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations.
>> Sometimes when the user logs in, or unlocks his workstation the
>> users kerberos keytab is not created or updated.
> You mean credential caches rather than keytabs, right?


> How are pam_ldap and pam_krb5 combined in your configuration?

Sorry, my bad. We do not use pam_ldap, only pam_krb5.

> Is pam_ldap being used for account management, or is it also being used
> to check passwords?  If pam_krb5 isn't verifying the password, it won't 
> obtain credentials which it
> can use to populate a credential cache when the user's session is opened, so 
> it won't try to
> create one.
>> Often, just locking the screen with the screensaver and unlocking
>> again creates or updates the keytab file.
>> I've had a look at /var/log/secure without getting any smarter.
> What gets logged to /var/log/secure when things aren't working right?

Sep 10 08:48:44 ws kcheckpass: pam_unix(kscreensaver:auth): authentication 
logname=username uid=12345 euid=12345 tty=:0 ruser= rhost=  user=username
Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: error reading keytab 
Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: TGT verified
Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: authentication succeeds for 

> Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam"
> subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to save 
> messages with
> priority=debug) and share the debug messages you get when things aren't 
> working?

Ok, sure. There is some time in between these reports so it might take a while 
to gather the results.


Freeipa-users mailing list

Reply via email to