Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8996: PamUserLogout2 warn messages filling up syslog

Authentication Service ,  

2 August,17 at 03:13 PM

Applies to:  Centrify DirectControl 5.4.0 and 5.4.1


Problem:

After upgrading to DirectControl 5.4.0, the following WARN message is seen quite frequently in the syslog.  The message has potential to fill up the log file if the user in question logs in often via a script or cron job.

 
Jun 21 15:39:21 server1 adclient[12345]: WARN <fd:27 PAMUserLoggedOut2 > daemon.ipcclient2 Problem processing logged out user acmeuser: stat ccache:No credentials cache found


Cause:

In this scenario, the Active Directory user in question, was being used to run a script and was logging in via public key over SSH, so that it did not create a kerberos cache.  When user logs out, Centrify will check and destroy this cache if it exists. This exception is thrown when there is no kerberos cache for the agent to clean up.


Workaround:

In the /etc/centrifydc/centrifydc.conf file, set the following parameter to false and then run 'adreload' for that setting to take effect.

    krb5.cache.clean.pam.sshd: false

This setting tells pam_close_session/userLogout to bypass the kerberos cache clean up during the ssh logoff process. Instead the kerberos cache cleanup will occur via a background process after the user logs out.


Resolution:

Will be fixed in the Suite 2017.2 (5.4.2) version of Centrify Direct Control Agent.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-3925: How to add Centrify parameter to a group policy articleKB-2438: adclient [daemon.warning] WARN <fd:22 NSSGetUserAttrDataByName articleKB-4282: What is the meaning of "Failed to resolve cache. No credentials cache found" messages in /var/log/messages coming from kcm articleKB-2388: Why do I get the warning messages "sql.wrap failed to finalize statement" and "library routine called out of sequence"? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleCentrify 17.11 Release Notes articleKB-1628: How to eliminate HPUX syslog message "AD user conflicts with user in local protected password database" articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-5876: How to supress agent SYSLOG warnings