krb5.cache.clean

This configuration parameter specifies whether Kerberos credentials in the cache should be deleted when a user logs out. By default, credentials stored in the Kerberos cache that belong to users who are not logged in are periodically deleted.

To keep the credentials available in the cache use this parameter to turn off the cache clean process entirely. Alternatively, use the krb5.cache.clean.exclusion to turn off cache cleaning for specific users.

This configuration parameter allows you to control this operation specifically for zone users or for all users.

The parameter value must be one of the following valid settings:

  • off to turn off the deletion of the credentials cache for all users.
  • cdc to remove all of the /tmp/krb5cc* files created by the agent (adclient) that belong to any user not found in the utmp database (that is, the user has logged out).
  • all to remove all of the /tmp/krb5cc* files that belong to any user not found in the utmp database. This setting removes files created by the agent (adclient), telnet, and openssh.

For example, to remove the credentials cache for all users when they log out:

krb5.cache.clean: all

The default value for this parameter is cdc.