klist returns no tickets when using "pam_krb5.so try_first_pass"

Question

We have

auth        optional      pam_krb5.so try_first_pass

in

/etc/pam.d/password-auth-ac 

and

/etc/pam.d/system-auth-ac

however when I do a klist after successful login, I get

klist: No credentials cache found (filename: /tmp/nnnnn)

What could be the reason for this?

auth and session stack:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_tally2.so deny=12 unlock_time=3600
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        optional      pam_krb5.so try_first_pass
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so



session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Answer 1

Figured it out pam_krb5 was missing from the session stack:

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     required      pam_krb5.so

adding session required pam_krb5.so fixed the issue.