Hide Forgot
+++ This bug was initially created as a clone of Bug #725797 +++ Description of problem: Each time a user logs in and out again, one ccache file is left in /tmp. Users are managed in Active Directory and authenticate through nss-pam-ldapd/pam_krb5. Version-Release number of selected component (if applicable): pam_krb5-2.3.11-4.fc13.i686 How reproducible: Every time. Steps to Reproduce: 1.Log in via SSH 2.Log out Actual results: one ccache file left in /tmp Expected results: no ccache file left in /tmp Additional info: FWIW, setting multiple_ccaches did not seem to have any effect. The file left around was /tmp/krb5cc_10011_n0pEkv. It seems like this file is created just before the session starts: Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: created v5 ccache 'FILE:/tmp/krb5cc_10011_n0pEkv' for 'test05' Jul 26 16:40:40 fedora3-f13 sshd[17380]: pam_krb5[17380]: pam_open_session returning 0 (Success) Jul 26 16:40:42 fedora3-f13 sshd[17380]: Received disconnect from 10.46.208.226: 11: disconnected by user Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_unix(sshd:session): session closed for user test05 However after the session ends, a different file is tried for deletion: Jul 26 16:40:42 fedora3-f13 sshd[17369]: pam_krb5[17369]: removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe' Jul 26 16:40:43 fedora3-f13 sshd[17369]: pam_krb5[17369]: error removing ccache 'FILE:/tmp/krb5cc_10011_LCo3fe' Which has been created just before /tmp/krb5cc_10011_n0pEkv. Also, /tmp/krb5cc_10011_LCo3fe has already been deleted before /tmp/krb5cc_10011_n0pEkv was created: 17381 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0 17381 unlink("/tmp/krb5cc_10011_LCo3fe") = 0 ... 17382 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_XXXXXX", "10011", "10000"], [/* 15 vars */]) = 0 17382 open("/tmp/krb5cc_10011_n0pEkv", O_RDWR|O_CREAT|O_EXCL, 0600) = 3 ... 17422 execve("/lib/security/pam_krb5/pam_krb5_storetmp", ["pam_krb5_storetmp", "/tmp/krb5cc_10011_LCo3fe", "4294967295", "4294967295"], [/* 15 vars */]) = 0 17422 unlink("/tmp/krb5cc_10011_LCo3fe") = -1 ENOENT (No such file or directory) --- Additional comment from stefan.volkel.ext@nsn.com on 2011-07-26 11:25:44 EDT --- Created attachment 515305 [details] /var/log/secure --- Additional comment from stefan.volkel.ext@nsn.com on 2011-07-26 11:26:36 EDT --- Created attachment 515306 [details] strace -f -p $PID_OF_SSHD --- Additional comment from stefan.volkel.ext@nsn.com on 2011-07-27 04:22:06 EDT --- FWIW, it seems that the file kept after logout is the one from KRB5CCNAME --- Additional comment from ktdreyer@ktdreyer.com on 2011-08-26 18:19:48 EDT --- Appears to be happening on RHEL 6.1 also. pam_krb5-2.3.11-6.el6.x86_64
This'll probably turn out to be a duplicate of bug #720609. It should already be fixed in Raw Hide.
I can not access #720609: You are not authorized to access bug #720609. I need to fix this on Fedora 13. Is there a patch available? Or an updated package? Or can you provide the details so that I can fix it myself?
Keep in that Fedora 13 has passed its end-of-life date, so there won't be an update there. I just noticed that Raw Hide doesn't have 2.3.13 yet, so I'll be building it there soon. As for Fedora 13, using 'rpmbuild -tb' to build the tarball from https://fedorahosted.org/releases/p/a/pam_krb5/ is probably the most expedient route, as the backported patch for EL6 assumes some other things that were backported before it. The patches from the upstream repository are spread across these commits: 627a0a4d8c502d51a5b6e6e9828d66ed6c519e45 39ee8381f2daa1531a5c3fe126b5728a9b3d0d85 7bd1c02177bfb9fc5ea57556b0ee9444004c373d b7248ee6253ba6fd900e3a93016e29184ec1f264 7d00c3c1bf016dcd8c41d00eeebb065590906d44 9215413e55f9425149ae954181d657fb81103888
Happens here as well, RHEL 6.1 64bit openssh-5.3p1-52.el6_1.2.x86_64 pam_krb5-2.3.11-6.el6.x86_64
Ditto here openssh-5.3p1-52.el6_1.2.x86_64 pam_krb5-2.3.11-6.el6.x86_64
On RHEL6/x86_64 with pam_krb5-2.3.11-6.el6.x86_64 The following has been observed: - If the host has a corresponding /etc/krb5.keytab and user logs in using his TGT then logout is able to find and delete the file /tmp/krb5cc_UID_XXXXXX without further message. - If user logs following the password challenge (no TGT), upon log out, pam_krb5 is not able to find the ccache file and consequently prints the error "error removing ccache 'FILE:/tmp/krb5cc_UID_YYYYYY'" Note that in this case, ccache file name searched for deletion on logout is different from the one created at login time and then remaining in /tmp.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1704.html