[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Many /tmp/krb5* files



I have had the same issue.. I currently run tmpwatch on our imap/pop
servers to clean these out....  

See-ya
Mitch


On Thu, 2003-10-23 at 10:01, David Lee wrote:
> OS: Mostly Redhat 9 but also Solaris 8.  PAM/krb5 details at end of email.
> 
> Although our passwd information on those RH and Solaris machines uses NIS,
> we recently migrated the authentication aspect from NIS to Kerberos (on
> Active Directory).
> 
> Since then I have noticed that each machine's "/tmp" contains lots of
> files with names of the form "/tmp/krb5<NIS-domain>_<uid>_<random>" on
> Redhat (on Solaris it is the simpler "/tmp/krb5<NIS-domain>_<uid>").
> 
> These seem to persist for days after the session that generates them has
> gone.  Generally this is not a problem.  But our email machines have a
> very high daily quantity of IMAP and POP sessions, so the sheer quantity
> of these files has a significant impact on filespace (we currently have
> over 350,000 such files on one machine).
> 
> Presumably these files have no relevance after the initiating IMAP or POP
> session has gone away.  Is there something we can do in PAM (or krb5.conf
> or elsewhere) so it tidies up after itself?  Have we missed something?
> 
> 
> Currently we have (on Redhat):
> 
> /etc/pam.d/imap:
>    auth       required     pam_stack.so service=system-auth
>    account    required     pam_stack.so service=system-auth
> 
> 
> /etc/pam.d/pop:
>    auth       required     pam_stack.so service=system-auth
>    account    required     pam_stack.so service=system-auth
> 
> 
> /etc/pam.d/system-auth:
>    auth        required      /lib/security/$ISA/pam_env.so
>    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>    auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
>    auth        required      /lib/security/$ISA/pam_deny.so
> 
>    account     required      /lib/security/$ISA/pam_unix.so
>    account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
> 
>    password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
>    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok shadow nis
>    password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
>    password    required      /lib/security/$ISA/pam_deny.so
> 
>    session     required      /lib/security/$ISA/pam_limits.so
>    session     required      /lib/security/$ISA/pam_unix.so
>    session     optional      /lib/security/$ISA/pam_krb5.so
> 
> 
> /etc/krb5.conf:
>    ...
>    [libdefaults]
>     ticket_lifetime = 24000
>    ...
>    [appdefaults]
>     pam = {
>       debug = false
>       ticket_lifetime = 36000
>       renew_lifetime = 36000
>       forwardable = true
>       krb4_convert = false
>     }
> 
> 
> 
> Thanks in advance.
-- 
/####################################################################/
/# Mitchell "Buzz" Baker               "To Infinity And Beyond..."  #/
/# Sr. Systems/Security Admin  Rose-Hulman Institute of Technology  #/     
/# Mitchell D Baker rose-hulman edu            www.rose-hulman.edu  #/
/#        For PGP Public key, check out www.keyserver.net           #/
/####################################################################/




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]