[irods/irods#8282] Add link to troubleshooting section for PAM re-auth.

Author: korydraughn

docs/system_overview/configuration.md

@@ -917,11 +917,15 @@ The maximum TTL of a randomly generated password in seconds. If a user attempts
 
 The minimum TTL of a randomly generated password in seconds. If a user attempts to authenticate with a TTL value that is less than `password_min_time`, the TTL is determined to be invalid and an error is returned. If `password_min_time` is configured to a value greater than `password_max_time` no passed-in TTL value will satisfy the system. Accepted values: [0..18446744073709552000). If a value outside of the acceptable range is used, a warning message will be logged for the administrator and the default value will be used. The default value is 121.
 
+!!! Note
+    If users are being forced to re-authenticate via PAM frequently, you may need to adjust this option. A high frequency of `CAT_PASSWORD_EXPIRED` appearing in the server log is a good indicator of this. See [Users are forced to re-authenticate after a few minutes](../../system_overview/troubleshooting/#users-are-forced-to-re-authenticate-after-a-few-minutes) for more information.
+
 #### `password_extend_lifetime`
 
 Determines whether to extend the lifetime of the user's randomly generated password when re-authenticating by updating its expiration time. For instance, if a user authenticates and a randomly generated password already exists for the user in the database, the existing password will simply have its lifetime extended and the user will not need to re-authenticate for the full TTL. Accepted values: '0' or '1'. '1' means that the expiration time for the existing random password will be updated each time a user re-authenticates with iRODS. '0' means that the expiration time for the existing random password will not be updated when a user re-authenticates with iRODS. The default value is '1'.
 
-**NOTE:** This configuration is not used with `native` authentication.
+!!! Note
+    This configuration is not used with `native` authentication.
 
 ### Configuring authentication in `R_GRID_CONFIGURATION`
 

docs/system_overview/troubleshooting.md

@@ -778,7 +778,10 @@ If the server *has been* restarted after running `iexit`, the server will stand
 
 ## Users are forced to re-authenticate after a few minutes
 
-If your users are authenticating via PAM (e.g. `pam_password` scheme) and find that they are being made to re-authenticate after only a few minutes, this section should provide an explanation and a way to remedy the situation.
+If your users are authenticating via PAM (e.g. `pam_password` scheme), are being made to re-authenticate after only a few minutes, and `CAT_PASSWORD_EXPIRED` (i.e. error code -840000) is observed during communication, this section should provide an explanation and a way to remedy the situation.
+
+!!! Note
+    It is also possible for `CAT_INVALID_AUTHENTICATION` (-826000) or `CAT_INVALID_USER` (-827000) to be returned from the server instead of `CAT_PASSWORD_EXPIRED`. The solutions described in this section still apply.
 
 An authenticated "session" for an iRODS user is managed through a Time-to-Live (TTL) parameter used by the authentication plugins. A session is said to "expire" after it has been valid for a specified TTL. For PAM authentication, sessions expire after the zone's configured `password_min_time` (in `R_GRID_CONFIGURATION` table) by default. The default `password_min_time` is 121 seconds. This explains the behavior described above.