Since resolution of bug #225732, security/kstart rc script is run *before* the cleartmp script when clear_tmp_enable="YES".
Security/kstart uses /tmp as its default directory to store Kerberos credential cache files. When clear_tmp_enable="YES", those files are purged by the cleartmp rc script right after kstart created them. Further services relying on kstart are thus unable to perform Kerberos authentication.
The original bug report proposed 2 ways to make security/kstart start earlier. Proposal 2 was finally implemented. I just tested proposal 1 on 12-STABLE, and it fixes the issue.
Note: the original bug report mentions "other daemons that may need Kerberos". It is difficult to test for regressions without a minimal list of dependencies. In my environment, we use security/kstart with net/nss-pam-ldapd-sasl to perform NSS LDAP binds authenticated with GSSAPI.
A commit references this bug:
Date: Mon Mar 18 02:28:11 UTC 2019
New revision: 496119
- Adjust start order in rc script
- Bump PORTREVISION
Submitted by: Marin Bernard <firstname.lastname@example.org>