[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Many /tmp/krb5* files



OS: Mostly Redhat 9 but also Solaris 8.  PAM/krb5 details at end of email.

Although our passwd information on those RH and Solaris machines uses NIS,
we recently migrated the authentication aspect from NIS to Kerberos (on
Active Directory).

Since then I have noticed that each machine's "/tmp" contains lots of
files with names of the form "/tmp/krb5<NIS-domain>_<uid>_<random>" on
Redhat (on Solaris it is the simpler "/tmp/krb5<NIS-domain>_<uid>").

These seem to persist for days after the session that generates them has
gone.  Generally this is not a problem.  But our email machines have a
very high daily quantity of IMAP and POP sessions, so the sheer quantity
of these files has a significant impact on filespace (we currently have
over 350,000 such files on one machine).

Presumably these files have no relevance after the initiating IMAP or POP
session has gone away.  Is there something we can do in PAM (or krb5.conf
or elsewhere) so it tidies up after itself?  Have we missed something?


Currently we have (on Redhat):

/etc/pam.d/imap:
   auth       required     pam_stack.so service=system-auth
   account    required     pam_stack.so service=system-auth


/etc/pam.d/pop:
   auth       required     pam_stack.so service=system-auth
   account    required     pam_stack.so service=system-auth


/etc/pam.d/system-auth:
   auth        required      /lib/security/$ISA/pam_env.so
   auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
   auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
   auth        required      /lib/security/$ISA/pam_deny.so

   account     required      /lib/security/$ISA/pam_unix.so
   account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so

   password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
   password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok shadow nis
   password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
   password    required      /lib/security/$ISA/pam_deny.so

   session     required      /lib/security/$ISA/pam_limits.so
   session     required      /lib/security/$ISA/pam_unix.so
   session     optional      /lib/security/$ISA/pam_krb5.so


/etc/krb5.conf:
   ...
   [libdefaults]
    ticket_lifetime = 24000
   ...
   [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }



Thanks in advance.

-- 


:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]