Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4282: What is the meaning of "Failed to resolve cache. No credentials cache found" messages in /var/log/messages coming from kcm

Authentication Service ,  

12 April,16 at 11:46 AM

Applies to: All versions of Centrify DirectControl
 
Question:
 
Lots of "Failed to resolve cache. No credentials cache found" messages are found in /var/log/messages coming from centrify-kcm. Here is a sample of the log file:
 
Nov 20 10:47:59 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910:56: No credentials cache found 
Nov 20 10:48:02 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910: No credentials cache found 
Nov 20 10:48:07 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910:54: No credentials cache found 
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found 
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found 
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found 
Nov 20 10:48:30 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 0: No credentials cache found
 
What is the meaning of the above messages? Considering these are INFO messages from centrify-kcm, is there any way to configure /etc/krb5.conf so that only warnings and error messages are logged?
 
Answer:
 
Take below message as an example, this means user with uid 300 has no kerberos ticket in memory cache:
 
Nov 20 10:48:02 linux-install-md /usr/share/centrifydc/kerberos/sbin/kcm[10842]: Failed to resolve cache 840910: No credentials cache found 
 
Prior to Suite 2014, centrify-kcm does not support log level control in krb5.conf, those messages are always written to syslog with "INFO" level. However, one can change the syslog facility that centrify-kcm uses.
 
Following is a possible workaround to have messages with only warning or higher level written into /var/log/messages:
 
1) add following setting to the end of /etc/krb5.conf:
 
   [logging]
   kcm = SYSLOG:INFO:LOCAL5
 
2) add following setting to the end of /etc/rsyslog.conf:
 
   local5.warn /var/log/messages
 
3) run the following command to notify rsyslogd to reload configurations
 
      (run as root)
   #/usr/share/centrifydc/bin/addebug syslog
 
4) restart centrify-kcm (Warning: all in-memory tickets will be lost)
 
      (run as root)
   #/usr/share/centrifydc/bin/centrify-kcm restart
 
 
(Please note that if /etc/rsyslog.conf contains asterisk('*') for log facility matching, like
 
*.info     /var/log/messages
 
then the above workaround would not help, as INFO level messages will always be written into /var/log/messages.)
 
 
In Suite 2014, support for syslog level control for centrify-kcm is added. For example, in krb5.conf, one can configure: 
 
 
[logging] 
kcm = SYSLOG:WARNING:AUTH
 
 
so centrify-kcm will only send messages of WARNING or higher level to syslog. Please be reminded to restart centrify-kcm to load the new logging setting:
 
(run as root)
#/usr/share/centrifydc/bin/centrify-kcm restart
  
(Warning: All in-memory tickets will be lost upon centrify-kcm restart)

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-1239: What is the meaning of "WARN util.runqueue Log queue is full" in /var/log/centrifydc.log articleKB-4032: adbindd error: Unsupported or invalid winbindd interface version articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer?