Etienne, after being able to 'su' to a ldap user I copied the pam.d directory to

1. Etienne, after being able to 'su' to a ldap user I copied the pam.d directory to my home (I compare the corresponding files lower down). Then I installed krb5-user and libpam-krb5 (and had it [auth-client-config?] overwrite the PAM config). I tried to 'su' to user 'sudoldapuser' but I am prompted for a password (when I shouldn't since I have a TGT). Here is auth.log when I enter a garbage password:
2.  
3. su[19127]: nss_ldap: reconnected to LDAP server ldap://10.153.107.90 after 1 attempt
4. su[19127]: pam_krb5(su:auth): authentication failure; logname=sudoldapuser uid=1000 euid=0 tty=/dev/pts/1 ruser=ubuntu rhost=
5. su[19127]: pam_unix(su:auth): authentication failure; logname=ubuntu uid=1000 euid=0 tty=/dev/pts/1 ruser=ubuntu rhost= user=sudoldapuser
6. su[19127]: pam_authenticate: Authentication failure
7. su[19127]: FAILED su for sudoldapuser by ubuntu
8. su[19127]: - /dev/pts/1 ubuntu:sudoldapuser
9.  
10. ubuntu@ldapclient:/etc$ getent passwd sudoldapuser
11.  
12. sudoldapuser:x:1006:10003:Sudo Matulis:/home/sudoldapuser:/bin/bash
13.  
14. ubuntu@ldapclient:/etc$ klist
15. Ticket cache: FILE:/tmp/krb5cc_1000
16. Default principal: sudoldapuser@EXAMPLE.COM
17.  
18. Valid starting Expires Service principal
19. 04/01/11 12:02:03 04/01/11 22:02:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
20. renew until 04/02/11 12:02:00
21.  
22. ubuntu@ldapclient:/etc$ grep -v ^# ~/pam.d/common-session
23.  
24. session [default=1] pam_permit.so
25. session requisite pam_deny.so
26. session required pam_permit.so
27. session required pam_unix.so
28. session required pam_mkhomedir.so
29. session optional pam_ldap.so
30.  
31. ubuntu@ldapclient:/etc$ grep -v ^# pam.d/common-session
32.  
33. session [default=1] pam_permit.so
34. session requisite pam_deny.so
35. session required pam_permit.so
36. session optional pam_krb5.so minimum_uid=1000
37. session required pam_unix.so
38. session optional pam_ldap.so
39.  
40. ubuntu@ldapclient:/etc$ grep -v ^# ~/pam.d/common-auth
41.  
42. auth [success=2 default=ignore] pam_unix.so nullok_secure
43. auth [success=1 default=ignore] pam_ldap.so use_first_pass
44. auth requisite pam_deny.so
45. auth required pam_permit.so
46.  
47. ubuntu@ldapclient:/etc$ grep -v ^# pam.d/common-auth
48.  
49. auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
50. auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
51. auth [success=1 default=ignore] pam_ldap.so use_first_pass
52. auth requisite pam_deny.so
53. auth required pam_permit.so
54.  
55. ubuntu@ldapclient:/etc$ grep -v ^# ~/pam.d/common-account
56.  
57. account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
58. account [success=1 default=ignore] pam_ldap.so
59. account requisite pam_deny.so
60. account required pam_permit.so
61.  
62. ubuntu@ldapclient:/etc$ grep -v ^# pam.d/common-account
63.  
64. account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
65. account [success=1 default=ignore] pam_ldap.so
66. account requisite pam_deny.so
67. account required pam_permit.so
68. account required pam_krb5.so minimum_uid=1000