further investigations showed ldap is not using gssapi on login because it doesn't see a credidentials cache file. /var/log/messages: Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: pam_krb5[7478]: error resolving user name 'testuser' to uid/gid pair Nov 2 08:56:27 playground login[7478]: pam_krb5[7478]: error getting information about 'testuser' Nov 2 08:56:29 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:29 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:29 playground login[7478]: FAILED LOGIN 2 FROM /dev/tty2 FOR UNKNOWN, User not known to the underlying authentication module the error can partially be avoided by specifying a kerberos creditentials file in /etc/ldap.conf (krb5_ccname FILE:/tmp/.ldapcc) /var/log/messages Nov 2 08:57:22 playground login[7529]: pam_krb5[7529]: authentication succeeds for 'testuser' (testuser@LINUX.LOCAL) // **1 Nov 2 08:57:22 playground login[7529]: pam_ldap: ldap_search_s Operations error / **2 Nov 2 08:57:22 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) / **3 Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) / **4 Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) ** 1: kerberos authentification succeeded. ** 2: simple bind, search of course fails.. ** 3: actually the value returned is 0x0E (saslBindInProgress) ** 4: still something can't find my creditentials cache file although it's statically specified. Something is not standing to the rules. and it is not doing _any_ ldapsearches at all.. just a dozen of bind requests :-/ any hints? thanks in advance Roman