Sorry, hit send too early by accident. Relevant bits of config: [radiusd.conf] max_request_time = 10 thread pool { start_servers = 3 min_spare_servers = 2 max_spare_servers = 5 max_requests_per_server = 0 } [sites-available/default] authorize { ... ldap ... # NOTE: ldap module does not set a Cleartext-Password so "pap" # is not enabled automatically. But we are fine to use PAP+krb5 update control { Auth-Type = PAP } } authenticate { Auth-Type PAP { krb5 } } [mods-available/krb5] krb5 { keytab = /etc/krb5.keytab service_principal = 'host/ix-radius1.ad.example.net' # different for each radius server pool { ... everything as defaults ... } } I wonder if there is some sort of leak and I should set "uses" or "lifetime" to limit how long each krb5 instance is used for? I also have these environment variables set in systemd: [Service] Environment=KRB5_CLIENT_KTNAME=/etc/radius.keytab Environment=KRB5CCNAME=MEMORY: Restart=always RestartSec=5 This is so that freeradius can authenticate to the LDAP server for LDAP queries. But I don't think the problem is to do with LDAP queries from freeradius, since the log messages are specifically about rlm_krb5, not rlm_ldap. Cheers, Brian.