On Tue, 2017-09-19 at 14:37 -0400, Simo Sorce via FreeIPA-users wrote:
> We normally store credentials in the kernel keyring, have you changed
> the default ccache type in your installation ?

Ignore the above, I overlooked that you are on RHEL6, we introduced the
keyring in RHEL7.

Simo.

> If you have elected to use /tmp to store ccaches and it is full it is
> expected for auth to fail.
> 
> Simo.
> 
> On Mon, 2017-09-18 at 17:11 +0200, Marius Bjørnstad via FreeIPA-users
> wrote:
> > Hi,
> > 
> > When /tmp is full, it is impossible to authenticate with Kerberos.
> > Login with password over SSH and sudo don't work. Login with ssh
> > key
> > works fine. Here is the output in the system log when I try to log
> > on
> > via SSH with password auth (this is on RHEL 6):
> > 
> > Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0
> > Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port
> > 49917
> > Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache
> > I/O
> > operation failed XXX
> > Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache
> > I/O
> > operation failed XXX
> > Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from
> > 192.168.1.48 port 49917 ssh2
> > Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
> > 
> > From SSH I get:
> > Permission denied, please try again.
> > 
> > The problem seems to be that Kerberos can't store its credentials
> > cache. Is this normal, and is there a way around it? Sure, ideally
> > I
> > should limit the space usable by each user, but that doesn't help
> > when a given user needs to log in and fix their tmp usage.
> > 
> > Thanks,
> > Marius
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahos
> > te
> > d.org
> 
> -- 
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste
> d.org

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to