Marius Bjørnstad via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> writes:

> When /tmp is full, it is impossible to authenticate with
> Kerberos. Login with password over SSH and sudo don't work. Login with
> ssh key works fine. Here is the output in the system log when I try to
> log on via SSH with password auth (this is on RHEL 6):
>
> Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0
> Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917
> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O 
> operation failed XXX
> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O 
> operation failed XXX
> Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 
> 192.168.1.48 port 49917 ssh2
> Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
>
> From SSH I get:
> Permission denied, please try again.
>
> The problem seems to be that Kerberos can't store its credentials
> cache. Is this normal, and is there a way around it? Sure, ideally I
> should limit the space usable by each user, but that doesn't help when
> a given user needs to log in and fix their tmp usage.

/tmp filling up isn't normal and you need to fix that.

A lot of things (not just krb5/ssh) rely on being able to make tempfiles
and if they can't, will break mysteriously.  I don't believe we had DIR
ccaches for 1.10.  You might be able to work around by setting
KRB5CCNAME, but if memory serves, I think ssh hardcodes an override to
that.

Thanks,
--Robbie

P.S. We removed the XXX from the error message in later versions.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to