Приветствую!

После успешной авторизации пользователя, создаётся и тут же закрывается сессия этого пользователя. Лог auth:

May 17 13:21:13 localhost login[2002]: pam_winbind(login:auth): getting password (0x00001010)
May 17 13:21:13 localhost login[2002]: pam_winbind(login:auth): pam_get_item returned a password
May 17 13:21:13 localhost login[2002]: pam_winbind(login:auth): user 'test' granted access
May 17 13:21:13 localhost login[2002]: pam_winbind(login:account): user 'test' granted access
May 17 13:21:13 localhost login[2002]: pam_unix(login:session): session opened for user test by LOGIN(uid=0)
May 17 13:21:13 localhost login[2002]: pam_unix(login:session): session closed for user test

/etc/pam.d/login

#%PAM-1.0
auth        required    pam_securetty.so
auth        requisite    pam_nologin.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_winbind.so use_first_pass debug_state
auth        required    pam_unix.so nullok use_first_pass
auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth        required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account        required    pam_access.so
account        required    pam_time.so
account        sufficient    pam_ldap.so
account        sufficient    pam_winbind.so
account        required    pam_unix.so
#password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password    required    pam_unix.so sha512 shadow use_authtok
#session    sufficient    pam_winbind.so #пробовал с ним и без
session        required    pam_unix.so
session        required    pam_env.so
session        required    pam_motd.so
session        required    pam_limits.so
session        optional    pam_mail.so dir=/var/spool/mail standard
session        optional    pam_lastlog.so
session        optional    pam_loginuid.so
-session    optional    pam_ck_connector.so nox11
-session    optional    pam_systemd.so

билет kerberos руками получить я могу. Вот настройки:

[libdefaults]
    default_realm = palata.irksp.ru
    clockskew = 300
    ticket_lifetime = 1d
    forwardable = true
    proxiable = true
    dns_lookup_realm = true
    dns_lookup_kdc = true
[realms]
    palata.irksp.ru = {
        kdc = server.palata.irksp.ru
        admin_server = server.palata.irksp.ru
        default_domain = PALATA.IRKSP.RU
    }
[domain_realm]
    .palata.irksp.ru = PALATA.IRKSP.RU
    palata.irksp.ru = PALATA.IRKSP.RU
    palata = PALATA.IRKSP.RU
[appdefaults]
[logging]
    default = FILE:/var/log/krb5_libs.log
    kdc = FILE:/var/log/krb5_kdc.log
    admin_server = FILE:/var/log/krb5_admsrv.log 

но странно, что в логах всё пусто...
и настройки smb.conf

[global]
    netbios name = arch
    workgroup = PALATA
    realm = PALATA.IRKSP.RU
    server string = %h Archlinux Host
    security = ADS
    allow trusted domains = no
    encrypt passwords = yes
    password server = *
    idmap backend = idmap_rid:PALATA=500-10000
    idmap uid = 500-10000
    idmap gid = 500-10000
    
    winbind use default domain = yes
    winbind separator = +
    winbind refresh tickets = yes
    winbind enum users = no
    winbind enum groups = no
    winbind nested groups = yes
    
    load printers = no

wbinfo отрабатыает. getenv passwd test тоже "видит" доменного пользователя.
машина в домен входит

[root@arch ~]# net ads join -U admin
Enter admin's password:
Using short domain name -- PALATA
Joined 'ARCH' to realm 'palata.irksp.ru'

И не пойму где и у чего включит отладку, чтобы хоть логи почитать...