too many connections / dropping tcp fd in 1.9.1

Paul B. Henson henson at acm.org
Mon Oct 17 21:16:27 EDT 2011 

We recently upgraded our kerberos deployment from 1.8.4 to 1.9.1 (we run
Gentoo linux). Since then, we've noticed messages like

Oct 15 18:10:11 halfy kadmind[25046]: too many connections
Oct 15 18:10:11 halfy kadmind[25046]: dropping tcp fd 36 from 134.71.247.23.46955

popping up in the logs. Looking into it, I think I've tracked this down
to a connection leak in a mod_perl based web service used in our
identity management infrastructure. We use the modules Authen::Krb5 and
Authen::Krb5::Admin to manage our kerberos principals. Each apache process
should have only one connection open to kadmin at a time, but at this
point they seem to built up multiple connections per process over time:

apache2   18313 apache   23u  IPv4 6687820      0t0  TCP
derp.unx.csupomona.edu:43357->halfy.unx.csupomona.edu:kerberos-adm
(ESTABLISHED)
apache2   18313 apache   24u  IPv4 6854962      0t0  TCP
derp.unx.csupomona.edu:45101->halfy.unx.csupomona.edu:kerberos-adm
(ESTABLISHED)
apache2   18313 apache   25u  IPv4 6793863      0t0  TCP
derp.unx.csupomona.edu:47373->halfy.unx.csupomona.edu:kerberos-adm
(ESTABLISHED)
apache2   18313 apache   26u  IPv4 6963881      0t0  TCP
derp.unx.csupomona.edu:39611->halfy.unx.csupomona.edu:kerberos-adm
(ESTABLISHED)
apache2   18313 apache   28u  IPv4 7034009      0t0  TCP
derp.unx.csupomona.edu:50685->halfy.unx.csupomona.edu:kerberos-adm
(ESTABLISHED)

I reinstalled 1.8.4 on a test box, and verified that code like:

  while (1) {
    $kadm5 = Authen::Krb5::Admin->init_with_password($user, $password);
  }

under 1.8.4 closes the TCP connection each time a new connection is
made, but under 1.9.1, the exact same code leaks a connection every
time.

It looks like under the hood, Authen::Krb5::Admin is just calling
kadm5_destroy in the object destructor. Can anybody think of a reason
that under 1.9.1 this is not releasing the connection? Does
Authen::Krb5::Admin need an update to be compatible with kerberos 1.9.1?

Any help much appreciated, thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the Kerberos mailing list