On (19/09/17 18:46), Florence Blanc-Renaud via FreeIPA-users wrote:
>On 09/18/2017 05:11 PM, Marius Bjørnstad via FreeIPA-users wrote:
>> Hi,
>> 
>> When /tmp is full, it is impossible to authenticate with Kerberos. Login 
>> with password over SSH and sudo don't work. Login with ssh key works fine. 
>> Here is the output in the system log when I try to log on via SSH with 
>> password auth (this is on RHEL 6):
>> 
>> Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0
>> Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917
>> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O 
>> operation failed XXX
>> Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O 
>> operation failed XXX
>> Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 
>> 192.168.1.48 port 49917 ssh2
>> Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
>> 
>>  From SSH I get:
>> Permission denied, please try again.
>> 
>> The problem seems to be that Kerberos can't store its credentials cache. Is 
>> this normal, and is there a way around it? Sure, ideally I should limit the 
>> space usable by each user, but that doesn't help when a given user needs to 
>> log in and fix their tmp usage.
>> 
>> Thanks,
>> Marius
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> 
>Hi,
>
>the location of the credential cache can be specified either using the
>environment variable $KRB5CCNAME or globally in /etc/krb5.conf (with the
>setting default_ccache_name, or default value FILE:/tmp/krb5cc_%{uid} if not
>specified).
>
>Please note that more recent version of freeIPA configure default_ccache_name
>= KEYRING:persistent:%{uid}
>
Just a note that setting KEYRING collection ccache requires quite new kernel
and mit krb5 (upstream 1.12 IIRC).

So the correct answer should be recent version of freeIPA on rhet7 and fedora
:-)

LS
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to