If you unlock a locked CDE session, all your cached Kerberos version 5 (krb5) credentials might be removed. The result is you might not be able to access various system utilities. This problem occurs under the following conditions:
In the /etc/pam.conf file, the dtsession services for your system are configured to use the krb5 module by default.
You lock your CDE session, and then try to unlock the session.
If this problem occurs, the following error message is displayed:
lock screen: PAM-KRB5 (auth): Error verifying TGT with host/host-name: Permission denied in replay cache code
Workaround: Add the following non-pam_krb5 dtsession entries to the /etc/pam.conf file:
dtsession auth requisite pam_authtok_get.so.1 dtsession auth required pam_unix_auth.so.1
With these entries in the /etc/pam.conf file, the pam_krb5 module does not run by default.
In the Solaris 9 12/03 release, locked accounts are treated in the same way as expired or nonexistent accounts. As a result, the cron, at, and batch utilities cannot schedule jobs on locked accounts.
Workaround: To enable locked accounts to accept cron, at, or batch jobs, replace the password field of a locked account (*LK*) with the string NP, for no password.