On Wed, Mar 22, 2017 at 3:19 PM, <m.roth at 5-cent.us> wrote: > Matt Garman wrote: >> (2) Permission denied issues. I have user Kerberos tickets >> configured for 70 days. But there is clearly some kind of >> undocumented kernel caching going on. Looking at the Kerberos server >> logs, it looks like it "could" be a performance issue, as I see 100s >> of ticket requests within the same second when someone tries to launch >> a lot of jobs. Many of these will fail with "permission denied" but >> if they immediately re-try, it works. Related to this, I have been >> unable to figure out what creates and deletes the >> /tmp/krb5cc_uid_random files. > > Are they asking for *new* credentials each time? They should only be doing > one kinit. Well, that's what I don't understand. In practice, I don't believe a user should ever have to explicitly do kinit, as their credentials/tickets are implicitly created (and forwarded) via ssh. Despite that, I see the /tmp/krb5cc_uid files accumulating over time. But I've tried testing this, and I haven't been able to determine exactly what creates those files. And I don't understand why new krb5cc_uid files are created when there is an existing, valid file already. Clearly some programs ignore existing files, and some create new ones. > And there's nothing in the logs, correct? Have you tried attaching strace > to one of those, and see if you can get a clue as to what's happening? Actually, I get this in the log: Mar 22 13:25:09 daemon.err lnxdev108 rpc.gssd[19329]: WARNING: handle_gssd_upcall: failed to find uid in upcall string 'mech=krb5' Thanks, Matt