gssapi: Credential expired

[PromyLOPh]

When leaving an application running overnight on the production cluster the following error occurs when opening the app the first time:

[C 19:43:47.162 LabApp] received signal 15, stopping
[I 19:43:47.162 LabApp] Shutting down 1 kernel
[I 19:43:47.263 LabApp] Kernel shutdown: ce87b703-ae77-4927-9679-3940ca2284f1
ERROR:asyncio:Task exception was never retrieved
future: <Task finished coro=<copy() done, defined at /gnu/store/kn49lbrnccih9q685rh0lhgz3d4yh287-conductor-0.1/lib/python3.7/site-packages/conductor/util.py:8> exception=KeyExchangeFailed('Major (720896): The referenced credential has expired, Minor (100001): Unknown code 0')>
Traceback (most recent call last):
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/kex_dh.py", line 491, in _process_token
self._token = self._gss.step(token)
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/gss_unix.py", line 105, in step
self._init_context()
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/gss_unix.py", line 142, in _init_context
flags=self._flags)
File "/gnu/store/bjln1y9bdb16k399dx03vp3nbfs34zs1-python-gssapi-1.6.1/lib/python3.7/site-packages/gssapi/sec_contexts.py", line 79, in __init__
elif creds is not None and creds.usage != 'both':
File "/gnu/store/bjln1y9bdb16k399dx03vp3nbfs34zs1-python-gssapi-1.6.1/lib/python3.7/site-packages/gssapi/creds.py", line 91, in usage
usage=True, mechs=False).usage
File "/gnu/store/bjln1y9bdb16k399dx03vp3nbfs34zs1-python-gssapi-1.6.1/lib/python3.7/site-packages/gssapi/creds.py", line 259, in inquire
res = rcreds.inquire_cred(self, name, lifetime, usage, mechs)
File "gssapi/raw/creds.pyx", line 351, in gssapi.raw.creds.inquire_cred
gssapi.raw.exceptions.ExpiredCredentialsError: Major (720896): The referenced credential has expired, Minor (100001): Unknown code 0

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/gnu/store/kn49lbrnccih9q685rh0lhgz3d4yh287-conductor-0.1/lib/python3.7/site-packages/conductor/util.py", line 11, in copy
buf = await source.read (4096)
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/stream.py", line 105, in read
return await self._session.read(n, self._datatype, exact=False)
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/stream.py", line 469, in read
raise exc
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/connection.py", line 772, in data_received
while self._inpbuf and self._recv_handler():
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/connection.py", line 1002, in _recv_packet
processed = handler.process_packet(pkttype, seq, packet)
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/packet.py", line 215, in process_packet
self._packet_handlers[pkttype](self, pkttype, pktid, packet)
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/connection.py", line 1604, in _process_kexinit
self._kex.start()
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/kex_dh.py", line 600, in start
self._process_token()
File "/gnu/store/phpm3n9n8k0j73h3fysvk6llqipx1mki-python-asyncssh-2.2.0/lib/python3.7/site-packages/asyncssh/kex_dh.py", line 501, in _process_token
raise KeyExchangeFailed(str(exc))
asyncssh.misc.KeyExchangeFailed: Major (720896): The referenced credential has expired, Minor (100001): Unknown code 0

This seems to be https://bugzilla.mindrot.org/show_bug.cgi?id=3203 upstream. Problem is that sshd unconditionally sets the environment variable KRB5CCNAME to a FILE:-based string and does not respect the file /etc/krb5.conf.

Simple workaround seems to be adding KRB5CCNAME=KCM: to /etc/environment, which is picked up by pam_env.