Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2297: /tmp filled with krb5cc_cdc as a result of user not closing session properly

Centrify DirectControl ,  

12 April,16 at 11:08 AM

Applies to: Versions of Centrify DirectControl 5.x.x
 
Question:
It appears that the /tmp folder is filling up with krb5* log files even after upgrading the agent from 4.4.2 to version 5.x.x. 
 
/tmp was completely emptied before upgrading and it's been filling back up ever since. 
 
The user 'User1' is logging in via SSH and then using Telnet to query another system, as this is the only protocol this other system can accept:
 
workstation01:/tmp # ll krb5cc_*|wc -l
2054
workstation01:/tmp # ll krb5cc_*| head
-rw------- 1 User2 support 1580 May 28 16:47 krb5cc_12712
-rw------- 1 User1 support 1490 May 28 16:01 krb5cc_127138
-rw------- 1 User3 support 1554 May 28 16:13 krb5cc_81517
-rw------- 1 User2 support 1580 May 28 16:47 krb5cc_cdc12712_0zi9F4
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_023m6n
-rw------- 1 User1 support 1490 May 28 18:01 krb5cc_cdc127138_02Hedz
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_04VDsw
-rw------- 1 User1 support 1490 May 28 16:09 krb5cc_cdc127138_04bNit
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_08XvhG
-rw------- 1 User1 support 1490 May 28 18:10 krb5cc_cdc127138_0B3nYr
 
workstation01:/tmp # w |grep User1
 
User1 pts/2 16:03 2:07m 0.02s 0.02s -ksh
User1 pts/7 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04930.us 50001
User1 pts/8 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04942.us 50001
User1 pts/9 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04926.us 50001
User1 pts/10 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04927.us 50001
User1 pts/11 16:03 2:07m 0.02s 0.00s telnet ext-sys.s04948.us 50001
User1 pts/12 06Apr13 52days 0.84s 0.84s -ksh
User1 pts/14 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04946.us 50001
User1 pts/15 16:04 2:07m 0.02s 0.00s telnet ext-sys.s04958.us 50001
 
Why does this happen?
 
Answer:
In order to keep each session separate, adclient by default maintains a separate user credential cache for each session (so that session 1 terminating will not affect session 2 of the same user). This means that if a user has multiple login sessions - each one will have its own Kerberos credential cache. 
 
Normally on logoff, each session will call pam_close_session to delete it. Some older OS's and applications like Telnet and FTP are notorious for not cleaning up after themselves during logoff, so adclient implemented a background sweep (every 30 minutes) to remove the residue credential files - but since it does not know which ones are safe to remove, it will only clean them up if the user is NOT present (utmp). This means that if user has any sessions still active, the sweep will not remove any credential cache owned by that user.
 
A workaround is to specify all user sessions to use the same kerberos credential cache - in /etc/centrifydc/centrifydc.conf set:
 
krb5.unique.cache.files: false
 
Save the file and run: adreload
 
===
 
Alternatively, the krb5cc_cdc<uid>_* files can just be listed and removed if they are shown to be 1 or 2 days old - these are usually the relic cache files.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.