saslauthd (cyrus-sasl-2.1.21-r2) has a fd leak when using it with pam and kerberos. If kdc serves v5 and v4, v4 files are deleted but not released (closed). fd number can reach maximum and saslauthd refuses to authenticate. Each request(login) to saslauthd leaves one fd opened... lsof -n|grep saslauthd|grep deleted ... /tmp/tkt3202_0EoUzP (deleted) saslauthd 9442 root 48u REG 8,19 0 64257049 /tmp/tkt3259_SU5Bix (deleted) saslauthd 9442 root 49u REG 8,19 0 64257051 /tmp/tkt3259_UGODBB (deleted) saslauthd 9442 root 50u REG 8,19 0 64257055 /tmp/tkt3259_XC7zx9 (deleted) ...
I believe gentoo net-mail team don't have such setup. Please report this upstream. Note there are more poeple read ML than bug. You can try both. ML: http://asg.web.cmu.edu/cyrus/mailing-list.html BUG: https://bugzilla.andrew.cmu.edu/ thanks.
This leak can be avoided using only krb5 in pam_krb5-2.2.6 from fedora. krb4 is anyway deprecated. This version of pam_krb5 gives afs tokens through krb5 only, so krb4 is not needed anymore.