- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Kerberos Credential Cache files are building up
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2003 01:34 PM
09-12-2003 01:34 PM
Kerberos Credential Cache files are building up
If I run "ll /tmp/krb*", I see an abundance of krb5cc_*_* files. There is nearly one for each telnet session to the system.
From the Kerberos documentation, I though these files would be deleted when the users' sessions ended. Is this a bug? I would like to clean these up, but I am not sure when it becomes safe to delete them.
Here is a snippet:
-rw------- 1 user1 users 1272 Sep 11 13:25 krb5cc_15965_15966
-rw------- 1 user3 users 1280 Sep 11 13:26 krb5cc_15966_16042
-rw------- 1 user1 users 1272 Sep 11 13:27 krb5cc_16096_16097
-rw------- 1 user3 users 1280 Sep 11 13:27 krb5cc_16097_16176
-rw------- 1 user1 users 1272 Sep 11 13:31 krb5cc_16472_16476
-rw------- 1 user2 users 1536 Sep 11 13:35 krb5cc_16801_16802
-rw------- 1 user2 users 1536 Sep 11 13:38 krb5cc_670_17086
-rw------- 1 user3 users 1280 Sep 11 13:38 krb5cc_17106_17107
-rw------- 1 user2 users 1536 Sep 11 13:39 krb5cc_17107_17136
-rw------- 1 user2 users 1536 Sep 11 13:40 krb5cc_17107_17332
-rw------- 1 user2 users 1536 Sep 11 13:42 krb5cc_17508_17509
-rw------- 1 user2 users 1536 Sep 11 13:45 krb5cc_17791_17792
-rw------- 1 user1 users 1272 Sep 11 14:16 krb5cc_20303_20304
-rw------- 1 user2 users 1536 Sep 11 14:40 krb5cc_22181_22183
-rw------- 1 user1 users 1272 Sep 11 14:57 krb5cc_23510_23523
-rw------- 1 user3 users 1280 Sep 11 15:45 krb5cc_27087_27088
-rw------- 1 user1 users 1272 Sep 11 15:59 krb5cc_28084_28085
-rw------- 1 user2 users 1536 Sep 11 15:59 krb5cc_28124_28125
-rw------- 1 user1 users 1272 Sep 11 16:00 krb5cc_28310_28311
-rw------- 1 user1 users 1272 Sep 12 15:04 krb5cc_670_8616
-rw------- 1 user3 users 1320 Sep 12 15:21 krb5cc_9933_9934
-rw------- 1 user1 users 1272 Sep 12 15:21 krb5cc_9974_9975
-rw------- 1 user2 users 1576 Sep 12 16:29 krb5cc_15056_15057
-rw------- 1 user2 users 1576 Sep 12 17:17 krb5cc_18485_18486
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2003 01:55 PM
09-12-2003 01:55 PM
Re: Kerberos Credential Cache files are building up
Those numbers at the end of the filenames are probably process ids.
ps -ef | grep
see if the process is still running, just to get an idea how long the files get used.
You can do a find command and gather up these files once they are two days old and delete them.
just put whatever number you want in the var OLDEST
find /tmp/krb -type f -name core -mtime +${OLDEST} -exec rm
Thats close, you'll need to work it out.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2003 09:42 AM
09-15-2003 09:42 AM
Re: Kerberos Credential Cache files are building up
I have read documentation that says the files are supposed to be named "krb5cc_UID," corresponding to the logged in user. This seems to be true if I log in as a user contained in the local /etc/passwd file and run "kinit". However, for users that are stored in Active Directory, these large numbers are generated somehow.
I could schedule a cleanup job to delete these files after 2 days, but if a user has been logged in for 2 days, I do not want to delete their credential cache while they are still using it. I suppose I could create a script that runs "klist -c" for each file and only deletes files with expired tickets. However, I would rather follow an official HP recommendation than solve the problem my own way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2003 10:09 AM
09-16-2003 10:09 AM
Re: Kerberos Credential Cache files are building up
In general, the numbers at the end of the files seem to be time-related. For example, if a telnet generates the number 13650, another telnet a minute later will generate a number around 13750. However, I am not too concerned about this number.
I read the pam_krb5 man page with more detail than before, and it said this:
"The session management module provides function to terminate sessions. It cleans up the credential cache file created by the Authentication module."
I had not previous realized that, so I modified /etc/pam.conf and added this line:
OTHER session required /usr/lib/security/libpam_krb5.1 debug
Now it should work. If I FTP to the system, there is no residual krb5cc_*_* file left in /tmp, and I see this in the debug log:
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: FTP LOGIN FROM hostname [X.XXX.XX.XX], user1
Sep 16 13:22:46 pofhpu02 ftpd[4292]: FTP session closed
However, when I telnet into the system and then logout, the krb5cc_*_* is not deleted. When I check the debug log, there is no trace of the session being closed:
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() end, retval = 0
Is it a bug that telnet does not close the session? I don't see pam_sm_close_session() from su or rlogin either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2003 09:21 PM
10-14-2003 09:21 PM
Re: Kerberos Credential Cache files are building up
I have recently implemented Kerberos and LDAP-UX on an HP-UX 11.00 system to allow it to use Active Directory for user/group management. I'm doing this "by the book" and following HP's documentation.
I'd also like to setup my servers and workstations to use AD for user/group management. Which documentation of HP did you follow?
Thanks!