On Tue, 12 Apr 2011, Alain Péan wrote:
> Hi John,
>
> Thnks for your answer. Here are the content of /etc/krb5.conf and klist
> -ke. I agree that there can be siomething missing, that was working
> before...
The keytab isn't valid for the host as it doesn't contain a usable principal
for doing a validation of the KDC. The pam_krb5 rpm has sensibly changed the
default for validate from false to true. Try adding:
[appdefaults]
pam = {
novalidate = true
}
I /think/ that'd work, but you'd be less secure than if you just sorted out
your keytab. Get a real principal for your domain into the keytab, and
validate will work. You're using LAB-LPP.LOCAL, but only have principals from
TEST-LPP.LOCAL in your keytab.
jh