On Tue, 2017-09-19 at 14:37 -0400, Simo Sorce via FreeIPA-users wrote: > We normally store credentials in the kernel keyring, have you changed > the default ccache type in your installation ?
Ignore the above, I overlooked that you are on RHEL6, we introduced the keyring in RHEL7. Simo. > If you have elected to use /tmp to store ccaches and it is full it is > expected for auth to fail. > > Simo. > > On Mon, 2017-09-18 at 17:11 +0200, Marius Bjørnstad via FreeIPA-users > wrote: > > Hi, > > > > When /tmp is full, it is impossible to authenticate with Kerberos. > > Login with password over SSH and sudo don't work. Login with ssh > > key > > works fine. Here is the output in the system log when I try to log > > on > > via SSH with password auth (this is on RHEL 6): > > > > Sep 18 16:56:59 vali sshd: Set /proc/self/oom_score_adj to 0 > > Sep 18 16:56:59 vali sshd: Connection from 192.168.1.48 port > > 49917 > > Sep 18 16:57:02 vali [sssd[krb5_child]]: Credentials cache > > I/O > > operation failed XXX > > Sep 18 16:57:02 vali [sssd[krb5_child]]: Credentials cache > > I/O > > operation failed XXX > > Sep 18 16:57:04 vali sshd: Failed password for paalmbj from > > 192.168.1.48 port 49917 ssh2 > > Sep 18 16:57:07 vali sshd: Connection closed by 192.168.1.48 > > > > From SSH I get: > > Permission denied, please try again. > > > > The problem seems to be that Kerberos can't store its credentials > > cache. Is this normal, and is there a way around it? Sure, ideally > > I > > should limit the space usable by each user, but that doesn't help > > when a given user needs to log in and fix their tmp usage. > > > > Thanks, > > Marius > > _______________________________________________ > > FreeIPA-users mailing list -- firstname.lastname@example.org > > To unsubscribe send an email to email@example.com > > te > > d.org > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to email@example.com > d.org -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org