Keeping the Kerberos credential after user logoff

When your Linux® management hosts use either Microsoft Active Directory (AD) or MIT Kerberos as the KDC, retain the Kerberos credential after a user logs off, so that different applications that share the Kerberos environment can use the Kerberos credential. By default, IBM® Spectrum Symphony cleans up credentials after user logoff.

Before you begin

MIT Kerberos version 1.11 or higher support the default_ccache_name configuration in the krb5.conf file. This configuration is not supported in IBM Spectrum Symphony. To ensure that IBM Spectrum Symphony uses the Kerberos credential properly, configure the KRB5CCNAME environment variable with the value of the default_ccache_name parameter.

Procedure

  1. To specify whether the Kerberos credential cache file on a specific host (specified by the KRB5CCNAME environment variable or the default one at /tmp/krb5cc_uid) must be retained after user logoff, configure the KEEP_KRB5CC_ON_USER_LOGOFF parameter in the sec_ego_gsskrb.conf file on that host.

    Valid values are Y to keep the credential after the user logs off or N to clean up the credential after the user logs off. Default is N. For example:

    KEEP_KRB5CC_ON_USER_LOGOFF=Y
  2. Optional: To manually remove the credential cache file, use the kdestroy command. For example:
    kdestroy -c /tmp/krb5cc_330

What to do next

For a sample scenario, see Using additional configuration for a Linux cluster (MIT Kerberos as KDC).