Dear all, I'm stuck with the ticket cache file permission incorrect after users login farm with Pam module. In this case, users failed to run "kpasswd", "klist" command with the following error.
kpasswd: Credentials cache permissions incorrect getting principal from ccache klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_60037_1BdT0m) I found the error caused by the incorrect permission of ticket file(all the personal ticket file with the root uid but right gid ). For example: -rw------- 1 root u07 469 Jul 29 10:00 /tmp/krb5cc_60037_1BdT0m And this issue happens in Scientific Linux 6 not in Scientific Linux 7. I attached the pam.d configuration: [root@lxslc613 ~]# vi /etc/pam.d/system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_krb5.so try_first_pass auth optional pam_afs_session.so program=/usr/bin/aklog auth required pam_env.so auth sufficient pam_fprintd.so auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account sufficient pam_krb5.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password sufficient pam_krb5.so use_first_pass password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session required pam_unix.so session optional pam_krb5.so session optional pam_afs_session.so program=/usr/bin/aklog session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid ~ [root@lxslc613 ~]# vi /etc/pam.d/password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_krb5.so try_first_pass auth optional pam_afs_session.so program=/usr/bin/aklog auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account sufficient pam_krb5.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_krb5.so session optional pam_afs_session.so program=/usr/bin/aklog session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Does anyone know about this issue and give me some clues? Any suggestions would be greatly appreciated. Many thanks. Regards, Qiulan huangql ==================================================================== Computing center,the Institute of High Energy Physics, CAS, China Qiulan Huang Tel: (+86) 10 8823 6087 P.O. Box 918-7 Fax: (+86) 10 8823 6839 Beijing 100049 P.R. China Email: huan...@ihep.ac.cn =================================================================== ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
