On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users 
wrote:
> Hi,
> 
> When /tmp is full, it is impossible to authenticate with Kerberos. Login with 
> password over SSH and sudo don't work. Login with ssh key works fine. Here is 
> the output in the system log when I try to log on via SSH with password auth 
> (this is on RHEL 6):
> 
> Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0
> Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917
> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O 
> operation failed XXX
> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O 
> operation failed XXX
> Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 
> 192.168.1.48 port 49917 ssh2
> Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
> 
> From SSH I get:
> Permission denied, please try again.
> 
> The problem seems to be that Kerberos can't store its credentials cache. Is 
> this normal, and is there a way around it? Sure, ideally I should limit the 
> space usable by each user, but that doesn't help when a given user needs to 
> log in and fix their tmp usage.

Well, you need to store the credentials /somewhere/...so if the
credential storage is full, the only remaining thing is to fall back to
cached passwords.

Which, if they are available (through cache_credentials=True in
sssd.conf) is what I'd expect to happen. If that doesn't happen, please
post your sssd logs..
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to