On Tue, September 11, 2012 01:16, Nalin Dahyabhai wrote:
> On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations.
>> Sometimes when the user logs in, or unlocks his workstation the
>> users kerberos keytab is not created or updated.
>
> You mean credential caches rather than keytabs, right?
>
Yes.
>
> How are pam_ldap and pam_krb5 combined in your configuration?
>
Sorry, my bad. We do not use pam_ldap, only pam_krb5.
>
> Is pam_ldap being used for account management, or is it also being used
> to check passwords? If pam_krb5 isn't verifying the password, it won't
> obtain credentials which it
> can use to populate a credential cache when the user's session is opened, so
> it won't try to
> create one.
>
>> Often, just locking the screen with the screensaver and unlocking
>> again creates or updates the keytab file.
>>
>> I've had a look at /var/log/secure without getting any smarter.
>>
>
> What gets logged to /var/log/secure when things aren't working right?
>
Sep 10 08:48:44 ws kcheckpass: pam_unix(kscreensaver:auth): authentication
failure;
logname=username uid=12345 euid=12345 tty=:0 ruser= rhost= user=username
Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: error reading keytab
'FILE:/etc/krb5.keytab'
Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: TGT verified
Sep 10 08:48:45 ws kcheckpass: pam_krb5[14342]: authentication succeeds for
'username'
(username@REALM)
>
> Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam"
> subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to save
> messages with
> priority=debug) and share the debug messages you get when things aren't
> working?
>
Ok, sure. There is some time in between these reports so it might take a while
to gather the results.
Regards,
Siggi
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
