HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Kerberos Credential Cache files are building up
Operating System - HP-UX
1836359
Members
2647
Online
110100
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2003 01:34 PM
09-12-2003 01:34 PM
Kerberos Credential Cache files are building up
I have recently implemented Kerberos and LDAP-UX on an HP-UX 11.00 system to allow it to use Active Directory for user/group management. I'm doing this "by the book" and following HP's documentation.
If I run "ll /tmp/krb*", I see an abundance of krb5cc_*_* files. There is nearly one for each telnet session to the system.
From the Kerberos documentation, I though these files would be deleted when the users' sessions ended. Is this a bug? I would like to clean these up, but I am not sure when it becomes safe to delete them.
Here is a snippet:
-rw------- 1 user1 users 1272 Sep 11 13:25 krb5cc_15965_15966
-rw------- 1 user3 users 1280 Sep 11 13:26 krb5cc_15966_16042
-rw------- 1 user1 users 1272 Sep 11 13:27 krb5cc_16096_16097
-rw------- 1 user3 users 1280 Sep 11 13:27 krb5cc_16097_16176
-rw------- 1 user1 users 1272 Sep 11 13:31 krb5cc_16472_16476
-rw------- 1 user2 users 1536 Sep 11 13:35 krb5cc_16801_16802
-rw------- 1 user2 users 1536 Sep 11 13:38 krb5cc_670_17086
-rw------- 1 user3 users 1280 Sep 11 13:38 krb5cc_17106_17107
-rw------- 1 user2 users 1536 Sep 11 13:39 krb5cc_17107_17136
-rw------- 1 user2 users 1536 Sep 11 13:40 krb5cc_17107_17332
-rw------- 1 user2 users 1536 Sep 11 13:42 krb5cc_17508_17509
-rw------- 1 user2 users 1536 Sep 11 13:45 krb5cc_17791_17792
-rw------- 1 user1 users 1272 Sep 11 14:16 krb5cc_20303_20304
-rw------- 1 user2 users 1536 Sep 11 14:40 krb5cc_22181_22183
-rw------- 1 user1 users 1272 Sep 11 14:57 krb5cc_23510_23523
-rw------- 1 user3 users 1280 Sep 11 15:45 krb5cc_27087_27088
-rw------- 1 user1 users 1272 Sep 11 15:59 krb5cc_28084_28085
-rw------- 1 user2 users 1536 Sep 11 15:59 krb5cc_28124_28125
-rw------- 1 user1 users 1272 Sep 11 16:00 krb5cc_28310_28311
-rw------- 1 user1 users 1272 Sep 12 15:04 krb5cc_670_8616
-rw------- 1 user3 users 1320 Sep 12 15:21 krb5cc_9933_9934
-rw------- 1 user1 users 1272 Sep 12 15:21 krb5cc_9974_9975
-rw------- 1 user2 users 1576 Sep 12 16:29 krb5cc_15056_15057
-rw------- 1 user2 users 1576 Sep 12 17:17 krb5cc_18485_18486
If I run "ll /tmp/krb*", I see an abundance of krb5cc_*_* files. There is nearly one for each telnet session to the system.
From the Kerberos documentation, I though these files would be deleted when the users' sessions ended. Is this a bug? I would like to clean these up, but I am not sure when it becomes safe to delete them.
Here is a snippet:
-rw------- 1 user1 users 1272 Sep 11 13:25 krb5cc_15965_15966
-rw------- 1 user3 users 1280 Sep 11 13:26 krb5cc_15966_16042
-rw------- 1 user1 users 1272 Sep 11 13:27 krb5cc_16096_16097
-rw------- 1 user3 users 1280 Sep 11 13:27 krb5cc_16097_16176
-rw------- 1 user1 users 1272 Sep 11 13:31 krb5cc_16472_16476
-rw------- 1 user2 users 1536 Sep 11 13:35 krb5cc_16801_16802
-rw------- 1 user2 users 1536 Sep 11 13:38 krb5cc_670_17086
-rw------- 1 user3 users 1280 Sep 11 13:38 krb5cc_17106_17107
-rw------- 1 user2 users 1536 Sep 11 13:39 krb5cc_17107_17136
-rw------- 1 user2 users 1536 Sep 11 13:40 krb5cc_17107_17332
-rw------- 1 user2 users 1536 Sep 11 13:42 krb5cc_17508_17509
-rw------- 1 user2 users 1536 Sep 11 13:45 krb5cc_17791_17792
-rw------- 1 user1 users 1272 Sep 11 14:16 krb5cc_20303_20304
-rw------- 1 user2 users 1536 Sep 11 14:40 krb5cc_22181_22183
-rw------- 1 user1 users 1272 Sep 11 14:57 krb5cc_23510_23523
-rw------- 1 user3 users 1280 Sep 11 15:45 krb5cc_27087_27088
-rw------- 1 user1 users 1272 Sep 11 15:59 krb5cc_28084_28085
-rw------- 1 user2 users 1536 Sep 11 15:59 krb5cc_28124_28125
-rw------- 1 user1 users 1272 Sep 11 16:00 krb5cc_28310_28311
-rw------- 1 user1 users 1272 Sep 12 15:04 krb5cc_670_8616
-rw------- 1 user3 users 1320 Sep 12 15:21 krb5cc_9933_9934
-rw------- 1 user1 users 1272 Sep 12 15:21 krb5cc_9974_9975
-rw------- 1 user2 users 1576 Sep 12 16:29 krb5cc_15056_15057
-rw------- 1 user2 users 1576 Sep 12 17:17 krb5cc_18485_18486
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2003 01:55 PM
09-12-2003 01:55 PM
Re: Kerberos Credential Cache files are building up
One way to go is a little research.
Those numbers at the end of the filenames are probably process ids.
ps -ef | grep
see if the process is still running, just to get an idea how long the files get used.
You can do a find command and gather up these files once they are two days old and delete them.
just put whatever number you want in the var OLDEST
find /tmp/krb -type f -name core -mtime +${OLDEST} -exec rm
Thats close, you'll need to work it out.
SEP
Those numbers at the end of the filenames are probably process ids.
ps -ef | grep
see if the process is still running, just to get an idea how long the files get used.
You can do a find command and gather up these files once they are two days old and delete them.
just put whatever number you want in the var OLDEST
find /tmp/krb -type f -name core -mtime +${OLDEST} -exec rm
Thats close, you'll need to work it out.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2003 09:42 AM
09-15-2003 09:42 AM
Re: Kerberos Credential Cache files are building up
From what I can tell, those numbers are not the PIDs of current processes nor the PIDs of related former processes (although that is more difficult to check).
I have read documentation that says the files are supposed to be named "krb5cc_UID," corresponding to the logged in user. This seems to be true if I log in as a user contained in the local /etc/passwd file and run "kinit". However, for users that are stored in Active Directory, these large numbers are generated somehow.
I could schedule a cleanup job to delete these files after 2 days, but if a user has been logged in for 2 days, I do not want to delete their credential cache while they are still using it. I suppose I could create a script that runs "klist -c" for each file and only deletes files with expired tickets. However, I would rather follow an official HP recommendation than solve the problem my own way.
I have read documentation that says the files are supposed to be named "krb5cc_UID," corresponding to the logged in user. This seems to be true if I log in as a user contained in the local /etc/passwd file and run "kinit". However, for users that are stored in Active Directory, these large numbers are generated somehow.
I could schedule a cleanup job to delete these files after 2 days, but if a user has been logged in for 2 days, I do not want to delete their credential cache while they are still using it. I suppose I could create a script that runs "klist -c" for each file and only deletes files with expired tickets. However, I would rather follow an official HP recommendation than solve the problem my own way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2003 10:09 AM
09-16-2003 10:09 AM
Re: Kerberos Credential Cache files are building up
I have learned more information about the situation, although I have not been able to solve the problem.
In general, the numbers at the end of the files seem to be time-related. For example, if a telnet generates the number 13650, another telnet a minute later will generate a number around 13750. However, I am not too concerned about this number.
I read the pam_krb5 man page with more detail than before, and it said this:
"The session management module provides function to terminate sessions. It cleans up the credential cache file created by the Authentication module."
I had not previous realized that, so I modified /etc/pam.conf and added this line:
OTHER session required /usr/lib/security/libpam_krb5.1 debug
Now it should work. If I FTP to the system, there is no residual krb5cc_*_* file left in /tmp, and I see this in the debug log:
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: FTP LOGIN FROM hostname [X.XXX.XX.XX], user1
Sep 16 13:22:46 pofhpu02 ftpd[4292]: FTP session closed
However, when I telnet into the system and then logout, the krb5cc_*_* is not deleted. When I check the debug log, there is no trace of the session being closed:
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() end, retval = 0
Is it a bug that telnet does not close the session? I don't see pam_sm_close_session() from su or rlogin either.
In general, the numbers at the end of the files seem to be time-related. For example, if a telnet generates the number 13650, another telnet a minute later will generate a number around 13750. However, I am not too concerned about this number.
I read the pam_krb5 man page with more detail than before, and it said this:
"The session management module provides function to terminate sessions. It cleans up the credential cache file created by the Authentication module."
I had not previous realized that, so I modified /etc/pam.conf and added this line:
OTHER session required /usr/lib/security/libpam_krb5.1 debug
Now it should work. If I FTP to the system, there is no residual krb5cc_*_* file left in /tmp, and I see this in the debug log:
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: FTP LOGIN FROM hostname [X.XXX.XX.XX], user1
Sep 16 13:22:46 pofhpu02 ftpd[4292]: FTP session closed
However, when I telnet into the system and then logout, the krb5cc_*_* is not deleted. When I check the debug log, there is no trace of the session being closed:
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() end, retval = 0
Is it a bug that telnet does not close the session? I don't see pam_sm_close_session() from su or rlogin either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2003 09:21 PM
10-14-2003 09:21 PM
Re: Kerberos Credential Cache files are building up
You write:
I have recently implemented Kerberos and LDAP-UX on an HP-UX 11.00 system to allow it to use Active Directory for user/group management. I'm doing this "by the book" and following HP's documentation.
I'd also like to setup my servers and workstations to use AD for user/group management. Which documentation of HP did you follow?
Thanks!
I have recently implemented Kerberos and LDAP-UX on an HP-UX 11.00 system to allow it to use Active Directory for user/group management. I'm doing this "by the book" and following HP's documentation.
I'd also like to setup my servers and workstations to use AD for user/group management. Which documentation of HP did you follow?
Thanks!
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP