Centrify DirectControl 5.4.0 and 5.4.1Problem:
After upgrading to DirectControl 5.4.0, the following WARN message is seen quite frequently in the syslog. The message has potential to fill up the log file if the user in question logs in often via a script or cron job.
Jun 21 15:39:21 server1 adclient: WARN <fd:27 PAMUserLoggedOut2 > daemon.ipcclient2 Problem processing logged out user acmeuser: stat ccache:No credentials cache found
In this scenario, the Active Directory user in question, was being used to run a script and was logging in via public key over SSH, so that it did not create a kerberos cache. When user logs out, Centrify will check and destroy this cache if it exists. This exception is thrown when there is no kerberos cache for the agent to clean up.Workaround:
In the /etc/centrifydc/centrifydc.conf file, set the following parameter to false
and then run 'adreload'
for that setting to take effect. krb5.cache.clean.pam.sshd: false
This setting tells pam_close_session/userLogout to bypass the kerberos cache clean up during the ssh logoff process. Instead the kerberos cache cleanup will occur via a background process after the user logs out.Resolution:
Will be fixed in the Suite 2017.2 (5.4.2) version of Centrify Direct Control Agent.