Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Thanks, Marius
Marius Bjørnstad via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
/tmp filling up isn't normal and you need to fix that.
A lot of things (not just krb5/ssh) rely on being able to make tempfiles and if they can't, will break mysteriously. I don't believe we had DIR ccaches for 1.10. You might be able to work around by setting KRB5CCNAME, but if memory serves, I think ssh hardcodes an override to that.
Thanks, --Robbie
P.S. We removed the XXX from the error message in later versions.
On 09/18/2017 05:11 PM, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Thanks, Marius _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the location of the credential cache can be specified either using the environment variable $KRB5CCNAME or globally in /etc/krb5.conf (with the setting default_ccache_name, or default value FILE:/tmp/krb5cc_%{uid} if not specified).
Please note that more recent version of freeIPA configure default_ccache_name = KEYRING:persistent:%{uid}
HTH, Flo
On (19/09/17 18:46), Florence Blanc-Renaud via FreeIPA-users wrote:
On 09/18/2017 05:11 PM, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Thanks, Marius _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the location of the credential cache can be specified either using the environment variable $KRB5CCNAME or globally in /etc/krb5.conf (with the setting default_ccache_name, or default value FILE:/tmp/krb5cc_%{uid} if not specified).
Please note that more recent version of freeIPA configure default_ccache_name = KEYRING:persistent:%{uid}
Just a note that setting KEYRING collection ccache requires quite new kernel and mit krb5 (upstream 1.12 IIRC).
So the correct answer should be recent version of freeIPA on rhet7 and fedora :-)
LS
On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Well, you need to store the credentials /somewhere/...so if the credential storage is full, the only remaining thing is to fall back to cached passwords.
Which, if they are available (through cache_credentials=True in sssd.conf) is what I'd expect to happen. If that doesn't happen, please post your sssd logs..
On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users wrote:
On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Well, you need to store the credentials /somewhere/...so if the credential storage is full, the only remaining thing is to fall back to cached passwords.
Which, if they are available (through cache_credentials=True in sssd.conf) is what I'd expect to happen. If that doesn't happen, please post your sssd logs..
That should happen only if we are offline, not if krb auth fails?
Simo.
On Tue, Sep 19, 2017 at 04:25:21PM -0400, Simo Sorce wrote:
On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users wrote:
On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Well, you need to store the credentials /somewhere/...so if the credential storage is full, the only remaining thing is to fall back to cached passwords.
Which, if they are available (through cache_credentials=True in sssd.conf) is what I'd expect to happen. If that doesn't happen, please post your sssd logs..
That should happen only if we are offline, not if krb auth fails?
Yes, you're right, sorry.
(Although we've had a request to allow to run sssd in a degraded responder-only mode in case /var is full and the providers can't write into the db, I guess that's what I confused the issue with)
Thanks for the replies. We have migrated most servers to RHEL7. I'll see about configuring the default_ccache_name on those, one way or another.
-Marius
- sep. 2017 kl. 09.02 skrev Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org:
On Tue, Sep 19, 2017 at 04:25:21PM -0400, Simo Sorce wrote:
On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users wrote:
On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Well, you need to store the credentials /somewhere/...so if the credential storage is full, the only remaining thing is to fall back to cached passwords.
Which, if they are available (through cache_credentials=True in sssd.conf) is what I'd expect to happen. If that doesn't happen, please post your sssd logs..
That should happen only if we are offline, not if krb auth fails?
Yes, you're right, sorry.
(Although we've had a request to allow to run sssd in a degraded responder-only mode in case /var is full and the providers can't write into the db, I guess that's what I confused the issue with) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
We normally store credentials in the kernel keyring, have you changed the default ccache type in your installation ?
If you have elected to use /tmp to store ccaches and it is full it is expected for auth to fail.
Simo.
On Mon, 2017-09-18 at 17:11 +0200, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Thanks, Marius _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
On Tue, 2017-09-19 at 14:37 -0400, Simo Sorce via FreeIPA-users wrote:
We normally store credentials in the kernel keyring, have you changed the default ccache type in your installation ?
Ignore the above, I overlooked that you are on RHEL6, we introduced the keyring in RHEL7.
Simo.
If you have elected to use /tmp to store ccaches and it is full it is expected for auth to fail.
Simo.
On Mon, 2017-09-18 at 17:11 +0200, Marius Bjørnstad via FreeIPA-users wrote:
Hi,
When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with password auth (this is on RHEL 6):
Sep 18 16:56:59 vali sshd[35157]: Set /proc/self/oom_score_adj to 0 Sep 18 16:56:59 vali sshd[35157]: Connection from 192.168.1.48 port 49917 Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:02 vali [sssd[krb5_child[35165]]]: Credentials cache I/O operation failed XXX Sep 18 16:57:04 vali sshd[35157]: Failed password for paalmbj from 192.168.1.48 port 49917 ssh2 Sep 18 16:57:07 vali sshd[35158]: Connection closed by 192.168.1.48
From SSH I get: Permission denied, please try again.
The problem seems to be that Kerberos can't store its credentials cache. Is this normal, and is there a way around it? Sure, ideally I should limit the space usable by each user, but that doesn't help when a given user needs to log in and fix their tmp usage.
Thanks, Marius _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahos te d.org
-- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Jakub Hrozek -
Lukas Slebodnik -
Marius Bjørnstad -
Robbie Harwood -
Simo Sorce