Operating System - HP-UX
1833930 Members
2686 Online
110063 Solutions
New Discussion

Kerberos Credential Cache files are building up

 
David Sickmiller
Occasional Contributor

Kerberos Credential Cache files are building up

I have recently implemented Kerberos and LDAP-UX on an HP-UX 11.00 system to allow it to use Active Directory for user/group management. I'm doing this "by the book" and following HP's documentation.

If I run "ll /tmp/krb*", I see an abundance of krb5cc_*_* files. There is nearly one for each telnet session to the system.

From the Kerberos documentation, I though these files would be deleted when the users' sessions ended. Is this a bug? I would like to clean these up, but I am not sure when it becomes safe to delete them.

Here is a snippet:
-rw------- 1 user1 users 1272 Sep 11 13:25 krb5cc_15965_15966
-rw------- 1 user3 users 1280 Sep 11 13:26 krb5cc_15966_16042
-rw------- 1 user1 users 1272 Sep 11 13:27 krb5cc_16096_16097
-rw------- 1 user3 users 1280 Sep 11 13:27 krb5cc_16097_16176
-rw------- 1 user1 users 1272 Sep 11 13:31 krb5cc_16472_16476
-rw------- 1 user2 users 1536 Sep 11 13:35 krb5cc_16801_16802
-rw------- 1 user2 users 1536 Sep 11 13:38 krb5cc_670_17086
-rw------- 1 user3 users 1280 Sep 11 13:38 krb5cc_17106_17107
-rw------- 1 user2 users 1536 Sep 11 13:39 krb5cc_17107_17136
-rw------- 1 user2 users 1536 Sep 11 13:40 krb5cc_17107_17332
-rw------- 1 user2 users 1536 Sep 11 13:42 krb5cc_17508_17509
-rw------- 1 user2 users 1536 Sep 11 13:45 krb5cc_17791_17792
-rw------- 1 user1 users 1272 Sep 11 14:16 krb5cc_20303_20304
-rw------- 1 user2 users 1536 Sep 11 14:40 krb5cc_22181_22183
-rw------- 1 user1 users 1272 Sep 11 14:57 krb5cc_23510_23523
-rw------- 1 user3 users 1280 Sep 11 15:45 krb5cc_27087_27088
-rw------- 1 user1 users 1272 Sep 11 15:59 krb5cc_28084_28085
-rw------- 1 user2 users 1536 Sep 11 15:59 krb5cc_28124_28125
-rw------- 1 user1 users 1272 Sep 11 16:00 krb5cc_28310_28311
-rw------- 1 user1 users 1272 Sep 12 15:04 krb5cc_670_8616
-rw------- 1 user3 users 1320 Sep 12 15:21 krb5cc_9933_9934
-rw------- 1 user1 users 1272 Sep 12 15:21 krb5cc_9974_9975
-rw------- 1 user2 users 1576 Sep 12 16:29 krb5cc_15056_15057
-rw------- 1 user2 users 1576 Sep 12 17:17 krb5cc_18485_18486
4 REPLIES 4
Steven E. Protter
Exalted Contributor

Re: Kerberos Credential Cache files are building up

One way to go is a little research.

Those numbers at the end of the filenames are probably process ids.

ps -ef | grep

see if the process is still running, just to get an idea how long the files get used.

You can do a find command and gather up these files once they are two days old and delete them.

just put whatever number you want in the var OLDEST

find /tmp/krb -type f -name core -mtime +${OLDEST} -exec rm


Thats close, you'll need to work it out.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
David Sickmiller
Occasional Contributor

Re: Kerberos Credential Cache files are building up

From what I can tell, those numbers are not the PIDs of current processes nor the PIDs of related former processes (although that is more difficult to check).

I have read documentation that says the files are supposed to be named "krb5cc_UID," corresponding to the logged in user. This seems to be true if I log in as a user contained in the local /etc/passwd file and run "kinit". However, for users that are stored in Active Directory, these large numbers are generated somehow.

I could schedule a cleanup job to delete these files after 2 days, but if a user has been logged in for 2 days, I do not want to delete their credential cache while they are still using it. I suppose I could create a script that runs "klist -c" for each file and only deletes files with expired tickets. However, I would rather follow an official HP recommendation than solve the problem my own way.
David Sickmiller
Occasional Contributor

Re: Kerberos Credential Cache files are building up

I have learned more information about the situation, although I have not been able to solve the problem.

In general, the numbers at the end of the files seem to be time-related. For example, if a telnet generates the number 13650, another telnet a minute later will generate a number around 13750. However, I am not too concerned about this number.

I read the pam_krb5 man page with more detail than before, and it said this:
"The session management module provides function to terminate sessions. It cleans up the credential cache file created by the Authentication module."
I had not previous realized that, so I modified /etc/pam.conf and added this line:
OTHER session required /usr/lib/security/libpam_krb5.1 debug

Now it should work. If I FTP to the system, there is no residual krb5cc_*_* file left in /tmp, and I see this in the debug log:
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_open_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() begin
Sep 16 13:21:46 pofhpu02 ftpd[4292]: pam_krb5: pam_sm_close_session() end, retval = 0
Sep 16 13:21:46 pofhpu02 ftpd[4292]: FTP LOGIN FROM hostname [X.XXX.XX.XX], user1
Sep 16 13:22:46 pofhpu02 ftpd[4292]: FTP session closed

However, when I telnet into the system and then logout, the krb5cc_*_* is not deleted. When I check the debug log, there is no trace of the session being closed:
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() begin
Sep 16 13:28:07 pofhpu02 : pam_krb5: pam_sm_open_session() end, retval = 0

Is it a bug that telnet does not close the session? I don't see pam_sm_close_session() from su or rlogin either.
Skwar
Occasional Advisor

Re: Kerberos Credential Cache files are building up

You write:

I have recently implemented Kerberos and LDAP-UX on an HP-UX 11.00 system to allow it to use Active Directory for user/group management. I'm doing this "by the book" and following HP's documentation.


I'd also like to setup my servers and workstations to use AD for user/group management. Which documentation of HP did you follow?

Thanks!