Applies to: All versions of Centrify DirectControl
Question:
Lots of "Failed to resolve cache. No credentials cache found" messages are found in /var/log/messages coming from centrify-kcm. Here is a sample of the log file:
Nov 20 10:47:59 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910:56: No credentials cache found
Nov 20 10:48:02 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910: No credentials cache found
Nov 20 10:48:07 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910:54: No credentials cache found
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found
What is the meaning of the above messages? Considering these are INFO messages from centrify-kcm, is there any way to configure /etc/krb5.conf so that only warnings and error messages are logged?
Answer:
Take below message as an example, this means user with uid 300 has no kerberos ticket in memory cache:
Nov 20 10:48:02 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910: No credentials cache found
Prior to Suite 2014, centrify-kcm does not support log level control in krb5.conf, those messages are always written to syslog with "INFO" level. However, one can change the syslog facility that centrify-kcm uses.
Following is a possible workaround to have messages with only warning or higher level written into /var/log/messages:
1) add following setting to the end of /etc/krb5.conf:
[logging]
kcm = SYSLOG:INFO:LOCAL5
2) add following setting to the end of /etc/rsyslog.conf:
local5.warn /var/log/messages
3) run the following command to notify rsyslogd to reload configurations
(run as root)
#/usr/share/centrifydc/bin/addebug syslog
4) restart centrify-kcm (Warning: all in-memory tickets will be lost)
(run as root)
#/usr/share/centrifydc/bin/centrify-kcm restart
(Please note that if /etc/rsyslog.conf contains asterisk('*') for log facility matching, like
*.info /var/log/messages
then the above workaround would not help, as INFO level messages will always be written into /var/log/messages.)
In Suite 2014, support for syslog level control for centrify-kcm is added. For example, in krb5.conf, one can configure:
[logging]
kcm = SYSLOG:WARNING:AUTH
so centrify-kcm will only send messages of WARNING or higher level to syslog. Please be reminded to restart centrify-kcm to load the new logging setting:
(run as root)
#/usr/share/centrifydc/bin/centrify-kcm restart