On Thu, Oct 23, 2003 at 04:01:14PM +0100, David Lee wrote: > OS: Mostly Redhat 9 but also Solaris 8. PAM/krb5 details at end of email. > Although our passwd information on those RH and Solaris machines uses NIS, > we recently migrated the authentication aspect from NIS to Kerberos (on > Active Directory). > Since then I have noticed that each machine's "/tmp" contains lots of > files with names of the form "/tmp/krb5<NIS-domain>_<uid>_<random>" on > Redhat (on Solaris it is the simpler "/tmp/krb5<NIS-domain>_<uid>"). > These seem to persist for days after the session that generates them has > gone. Generally this is not a problem. But our email machines have a > very high daily quantity of IMAP and POP sessions, so the sheer quantity > of these files has a significant impact on filespace (we currently have > over 350,000 such files on one machine). > Presumably these files have no relevance after the initiating IMAP or POP > session has gone away. Is there something we can do in PAM (or krb5.conf > or elsewhere) so it tidies up after itself? Have we missed something? > Currently we have (on Redhat): > /etc/pam.d/imap: > auth required pam_stack.so service=system-auth > account required pam_stack.so service=system-auth > > > /etc/pam.d/pop: > auth required pam_stack.so service=system-auth > account required pam_stack.so service=system-auth Looks familiar. Whenever I've seen this problem, it's been a bug (deficiency) in the application, rather than the PAM module. It's very common with "sessionless" services, like POP and IMAP, which tend to call the PAM open calls and not clean up after themselves on the way out. A call to pam_setcred(PAM_DELETE_CRED) is almost certainly what's missing here. Cheers, -- Steve Langasek postmodern programmer
Attachment:
pgp00116.pgp
Description: PGP signature
