Problem: Applications on Solaris 11.4 utilizing Kerberos authentication fails with access denied even when
/usr/share/centrifydc/kerberos/bin/klist displays a proper Ticket Granting Ticket (TGT).
Example of accessing a Kerberized NFS share with a valid TGT:
Cause: According to Oracle Support, "As from Solaris 11.3 to Solaris 11.4, ccache location changed from
FILE:/tmp/krb5cc_%{uid} to
/tmp/volatile-user/%{uid}/krb5cc_%{uid}". Due to this change Centrify's generated TGT will not be picked up.
Workaround: Create a symlink from
/tmp/krb5cc_%{uid} to
/tmp/volatile-user/%{uid}/krb5cc_%{uid} via the login profiles. See an example below.
export UID=$(getent passwd $USER | nawk -F ":" '{print $3}')
if [ -d "/tmp/volatile-user/$UID" ] && [ ! -f "/tmp/volatile-user/$UID/krb5cc_$UID" ]; then ln -s /tmp/krb5cc_$UID /tmp/volatile-user/$UID/krb5cc_$UID; fiExample of accessing the Kerberized NFS share after creating a symlink: