Using per-user credentials requires configuration such as a Kerberos setup. Refer to the following issues when configuring per-user profiles.
The syslog file might contain the following error message:
libsldap: Status: 7 Mesg: openConnection: GSSAPI bind failed -82 Local error
Kerberos might not be initialized or its ticket is expired. Use the klist command to browse. Use either the kinit -p command or kinit -R command to reinitialize Kerberos.
To enable the kinit command to run automatically whenever you log in, add pam_krb5.so.1 to the /etc/pam.conf file. For example:
login auth optional pam_krb5.so.1 rlogin auth optional pam_krb5.so.1 other auth optional pam_krb5.so.1
The syslog file might contain Invalid credential after you use the kinit command. This problem might occur due to one of the following reasons:
The root host entry or the user entry is not in the LDAP directory.
Mapping rules are incorrect.
You can use the ldapclient init command to check the LDAP profile for the presence of the self/sasl/GSSAPI configuration. If the switch check fails, the error lies in DNS not being used as the search criteria for the host database. You can resolve this issue as follows:
Use the following commands to check the status of the DNS service and to enable it.
# svcs -l dns/client # svcadm enable dns/client
If the failure is in the bind operation of sasl/GSSAPI, check the syslog file to determine the problem.