On Wed, Mar 22, 2017 at 3:19 PM, m.roth@5-cent.us wrote:
Matt Garman wrote:
(2) Permission denied issues. I have user Kerberos ticketsconfigured for 70 days. But there is clearly some kind of undocumented kernel caching going on. Looking at the Kerberos server logs, it looks like it "could" be a performance issue, as I see 100s of ticket requests within the same second when someone tries to launch a lot of jobs. Many of these will fail with "permission denied" but if they immediately re-try, it works. Related to this, I have been unable to figure out what creates and deletes the /tmp/krb5cc_uid_random files.
Are they asking for *new* credentials each time? They should only be doing one kinit.
Well, that's what I don't understand. In practice, I don't believe a user should ever have to explicitly do kinit, as their credentials/tickets are implicitly created (and forwarded) via ssh. Despite that, I see the /tmp/krb5cc_uid files accumulating over time. But I've tried testing this, and I haven't been able to determine exactly what creates those files. And I don't understand why new krb5cc_uid files are created when there is an existing, valid file already. Clearly some programs ignore existing files, and some create new ones.
And there's nothing in the logs, correct? Have you tried attaching strace to one of those, and see if you can get a clue as to what's happening?
Actually, I get this in the log:
Mar 22 13:25:09 daemon.err lnxdev108 rpc.gssd[19329]: WARNING: handle_gssd_upcall: failed to find uid in upcall string 'mech=krb5'
Thanks, Matt