Marius Bjørnstad via FreeIPA-users <firstname.lastname@example.org> writes:
> When /tmp is full, it is impossible to authenticate with > Kerberos. Login with password over SSH and sudo don't work. Login with > ssh key works fine. Here is the output in the system log when I try to > log on via SSH with password auth (this is on RHEL 6): > > Sep 18 16:56:59 vali sshd: Set /proc/self/oom_score_adj to 0 > Sep 18 16:56:59 vali sshd: Connection from 192.168.1.48 port 49917 > Sep 18 16:57:02 vali [sssd[krb5_child]]: Credentials cache I/O > operation failed XXX > Sep 18 16:57:02 vali [sssd[krb5_child]]: Credentials cache I/O > operation failed XXX > Sep 18 16:57:04 vali sshd: Failed password for paalmbj from > 192.168.1.48 port 49917 ssh2 > Sep 18 16:57:07 vali sshd: Connection closed by 192.168.1.48 > > From SSH I get: > Permission denied, please try again. > > The problem seems to be that Kerberos can't store its credentials > cache. Is this normal, and is there a way around it? Sure, ideally I > should limit the space usable by each user, but that doesn't help when > a given user needs to log in and fix their tmp usage. /tmp filling up isn't normal and you need to fix that. A lot of things (not just krb5/ssh) rely on being able to make tempfiles and if they can't, will break mysteriously. I don't believe we had DIR ccaches for 1.10. You might be able to work around by setting KRB5CCNAME, but if memory serves, I think ssh hardcodes an override to that. Thanks, --Robbie P.S. We removed the XXX from the error message in later versions.
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org