Skip to main content
Question

How do you change the temp directory for the storing Kerberos tickets?

  • March 11, 2025
  • 1 reply
  • 8 views
Christopher Owen

I am seeing the below error messages:

error: { [-]message: Unspecified GSS failure. Minor code may provide more information: No credentials cache found (filename: /tmp/krb5cc_176874)stack: Error: Unspecified GSS failure. Minor code may provide more information: No credentials cache found (filename: /tmp/krb5cc_176874)}level: errormessage: Authentication process failed

It seems the Kerberos tickets are being removed from the /tmp directory.  How do I change that?

    1 reply

    B

    When using Kerberos Authentication with Cribl the Kerberos tickets are stored in /tmp, these kerberos tickets are then removed by systemd-tmpfiles-clean.service. In order to have the Kerberos tickets stored in an alternative location other than /tmp there are two methods that can be followed.

    1) Using the directory option in default_ccache_name /etc/krb5.conf:

    cribl@:/opt/cribl/bin$ ./cribl stop

    Or via systemd:
    cribl@:/opt/cribl/bin$ systemctl stop cribl

    Update the default_ccache_name /etc/krb5.conf with the following entry under the [libdefaults] stanza:
    default_ccache_name = DIR:/opt/splunk/cribl_state/

    cribl@:/opt/cribl/bin$ grep default_ccache_name /etc/krb5.conf
    default_ccache_name = DIR:/opt/splunk/cribl_state/ # under [libdefaults]

    cribl@:/opt/cribl/bin$ mkdir /opt/splunk/cribl_state/
    cribl@:/opt/cribl/bin$ chown -R cribl:cribl /opt/splunk/cribl_state/

    Restart Cribl:
    cribl@:/opt/cribl/bin$ ./cribl start

    Or via systemd:
    cribl@:/opt/cribl/bin$ systemctl start cribl

    cribl@:/opt/cribl/bin$ ls -la /opt/splunk/cribl_state/

    total 16
    drwxr-xr-x 2 cribl cribl 4096 Jul 17 22:16 .
    drwxr-xr-x 3 cribl cribl 4096 Jul 17 21:54..
    -rw------- 1 cribl cribl 4 Jul 17 22:16 primary
    -rw------- 1 cribl cribl 1383 Jul 17 22:16 tkt

    2) Using the file option in default_ccache_name /etc/krb5.conf:

    cribl@:/opt/cribl/bin$ ./cribl stop

    Or via systemd:
    cribl@:/opt/cribl/bin$ systemctl stop cribl

    Update the default_ccache_name /etc/krb5.conf with the following entry under the [libdefaults] stanza:
    default_ccache_name = FILE:/opt/splunk/cribl_state/my_krb_cache

    cribl@:/opt/cribl/bin$ grep default_ccache_name /etc/krb5.conf
    default_ccache_name = FILE:/opt/splunk/cribl_state/my_krb_cache

    cribl@:/opt/cribl/bin$ touch /opt/splunk/cribl_state/my_krb_cache
    cribl@:/opt/cribl/bin$ chown cribl:cribl /opt/splunk/cribl_state/my_krb_cache

    Restart Cribl:
    cribl@:/opt/cribl/bin$ ./cribl start
    Or via systemd:
    cribl@:/opt/cribl/bin$ systemctl start cribl

    cribl@:/opt/cribl/bin$ ls -la /opt/splunk/cribl_state/
    total 12
    drwxr-xr-x 2 cribl cribl 4096 Jul 17 22:22 .
    drwxr-xr-x 3 cribl cribl 4096 Jul 17 21:54 ..
    -rw------- 1 cribl cribl 1383 Jul 17 22:22 my_krb_cache

    Terms & ConditionsAccessibility statement