On 09/18/2017 05:11 PM, Marius Bjørnstad via FreeIPA-users wrote:
Hi,

When /tmp is full, it is impossible to authenticate with Kerberos. Login with 
password over SSH and sudo don't work. Login with ssh key works fine. Here is 
the output in the system log when I try to log on via SSH with password auth 
(this is on RHEL 6):

Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0
Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917
Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation 
failed XXX
Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation 
failed XXX
Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 
port 49917 ssh2
Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48

 From SSH I get:
Permission denied, please try again.

The problem seems to be that Kerberos can't store its credentials cache. Is 
this normal, and is there a way around it? Sure, ideally I should limit the 
space usable by each user, but that doesn't help when a given user needs to log 
in and fix their tmp usage.

Thanks,
Marius
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

the location of the credential cache can be specified either using the environment variable $KRB5CCNAME or globally in /etc/krb5.conf (with the setting default_ccache_name, or default value FILE:/tmp/krb5cc_%{uid} if not specified).

Please note that more recent version of freeIPA configure default_ccache_name = KEYRING:persistent:%{uid}

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to