I have had the same issue.. I currently run tmpwatch on our imap/pop
servers to clean these out....
See-ya
Mitch
On Thu, 2003-10-23 at 10:01, David Lee wrote:
> OS: Mostly Redhat 9 but also Solaris 8. PAM/krb5 details at end of email.
>
> Although our passwd information on those RH and Solaris machines uses NIS,
> we recently migrated the authentication aspect from NIS to Kerberos (on
> Active Directory).
>
> Since then I have noticed that each machine's "/tmp" contains lots of
> files with names of the form "/tmp/krb5<NIS-domain>_<uid>_<random>" on
> Redhat (on Solaris it is the simpler "/tmp/krb5<NIS-domain>_<uid>").
>
> These seem to persist for days after the session that generates them has
> gone. Generally this is not a problem. But our email machines have a
> very high daily quantity of IMAP and POP sessions, so the sheer quantity
> of these files has a significant impact on filespace (we currently have
> over 350,000 such files on one machine).
>
> Presumably these files have no relevance after the initiating IMAP or POP
> session has gone away. Is there something we can do in PAM (or krb5.conf
> or elsewhere) so it tidies up after itself? Have we missed something?
>
>
> Currently we have (on Redhat):
>
> /etc/pam.d/imap:
> auth required pam_stack.so service=system-auth
> account required pam_stack.so service=system-auth
>
>
> /etc/pam.d/pop:
> auth required pam_stack.so service=system-auth
> account required pam_stack.so service=system-auth
>
>
> /etc/pam.d/system-auth:
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
>
> password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok shadow nis
> password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_krb5.so
>
>
> /etc/krb5.conf:
> ...
> [libdefaults]
> ticket_lifetime = 24000
> ...
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
>
> Thanks in advance.
--
/####################################################################/
/# Mitchell "Buzz" Baker "To Infinity And Beyond..." #/
/# Sr. Systems/Security Admin Rose-Hulman Institute of Technology #/
/# Mitchell.D.Baker@xxxxxxxxxxxxxxx www.rose-hulman.edu #/
/# For PGP Public key, check out www.keyserver.net #/
/####################################################################/
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
