Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-8996: PamUserLogout2 warn messages filling up syslog

Authentication Service ,  

2 August,17 at 03:13 PM

Applies to:  Centrify DirectControl 5.4.0 and 5.4.1


After upgrading to DirectControl 5.4.0, the following WARN message is seen quite frequently in the syslog.  The message has potential to fill up the log file if the user in question logs in often via a script or cron job.

Jun 21 15:39:21 server1 adclient[12345]: WARN <fd:27 PAMUserLoggedOut2 > daemon.ipcclient2 Problem processing logged out user acmeuser: stat ccache:No credentials cache found


In this scenario, the Active Directory user in question, was being used to run a script and was logging in via public key over SSH, so that it did not create a kerberos cache.  When user logs out, Centrify will check and destroy this cache if it exists. This exception is thrown when there is no kerberos cache for the agent to clean up.


In the /etc/centrifydc/centrifydc.conf file, set the following parameter to false and then run 'adreload' for that setting to take effect.

    krb5.cache.clean.pam.sshd: false

This setting tells pam_close_session/userLogout to bypass the kerberos cache clean up during the ssh logoff process. Instead the kerberos cache cleanup will occur via a background process after the user logs out.


Will be fixed in the Suite 2017.2 (5.4.2) version of Centrify Direct Control Agent.