On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote: > Hi, > > We are using pam_ldap + pam_krb5 on our RHEL 5 workstations. > Sometimes when the user logs in, or unlocks his workstation the > users kerberos keytab is not created or updated.
You mean credential caches rather than keytabs, right? How are pam_ldap and pam_krb5 combined in your configuration? Is pam_ldap being used for account management, or is it also being used to check passwords? If pam_krb5 isn't verifying the password, it won't obtain credentials which it can use to populate a credential cache when the user's session is opened, so it won't try to create one. > Often, just locking the screen with the screensaver and unlocking > again creates or updates the keytab file. > > I've had a look at /var/log/secure without getting any smarter. What gets logged to /var/log/secure when things aren't working right? Can you turn on debugging for pam_krb5 (set "debug = true" in the "pam" subsection of [appdefaults] in /etc/krb5.conf, and configure syslog to save messages with priority=debug) and share the debug messages you get when things aren't working? Nalin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
