[krbdev.mit.edu #6596] [Michael Spang] Bug#561176: krb5-kdc-ldap: krb5kdc leaks file descriptors

Sam Hartman via RT rt-comment at krbdev.mit.edu
Tue Dec 15 09:29:47 EST 2009 

Return-Path: <debbugs at rietz.debian.org>
Received: from localhost ([unix socket])
	by mail.suchdamage.org (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
	Mon, 14 Dec 2009 19:10:48 -0500
X-Sieve: CMU Sieve 2.2
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
	[18.72.1.2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.suchdamage.org (Postfix) with ESMTPS id 9CD06201F4
	for <hartmans at suchdamage.org>; Mon, 14 Dec 2009 19:10:37 -0500 (EST)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
	nBF0AXbt026926
	for <hartmans at suchdamage.org>; Mon, 14 Dec 2009 19:10:33 -0500 (EST)
Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU
	[18.7.68.35])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	nBF0ALZq015894
	for <hartmans at mit.edu>; Mon, 14 Dec 2009 19:10:29 -0500 (EST)
X-AuditID: 12074423-b7c05ae000006913-f5-4b26d3ea44f2
Received: from rietz.debian.org (rietz.debian.org [140.211.166.43])
	by  (Symantec Brightmail Gateway) with SMTP id 65.45.26899.AE3D62B4;
	Mon, 14 Dec 2009 19:10:19 -0500 (EST)
Received: from debbugs by rietz.debian.org with local (Exim 4.63)
	(envelope-from <debbugs at rietz.debian.org>)
	id 1NKKyS-0008Mv-IQ; Tue, 15 Dec 2009 00:09:08 +0000
X-Loop: owner at bugs.debian.org
Subject: Bug#561176: krb5-kdc-ldap: krb5kdc leaks file descriptors
Reply-To: Michael Spang <mspang at csclub.uwaterloo.ca>, 561176 at bugs.debian.org
Resent-From: Michael Spang <mspang at csclub.uwaterloo.ca>
Resent-To: debian-bugs-dist at lists.debian.org
Resent-CC: Sam Hartman <hartmans at debian.org>
X-Loop: owner at bugs.debian.org
Resent-Date: Tue, 15 Dec 2009 00:09:05 +0000
Resent-Message-ID: <handler.561176.B.126083554110808 at bugs.debian.org>
X-Debian-PR-Message: report 561176
X-Debian-PR-Package: krb5-kdc-ldap
X-Debian-PR-Keywords: 
X-Debian-PR-Source: krb5
Received: via spool by submit at bugs.debian.org id=B.126083554110808
	(code B ref -1); Tue, 15 Dec 2009 00:09:05 +0000
Received: (at submit) by bugs.debian.org; 15 Dec 2009 00:05:41 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Bayes: score:0.0000 Tokens: new, 36; hammy, 148; neutral, 132; spammy,
	3. spammytokens:0.997-1--ginseng, 0.993-1--H*M:19052,
	0.993-1--H*MI:19052
	hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug,
	0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--H*x:3.48
X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00, FOURLA, HAS_PACKAGE,
	IMPRONONCABLE_1, IMPRONONCABLE_2, MURPHY_WRONG_WORD1, MURPHY_WRONG_WORD2,
	RCVD_IN_DNSWL_MED,XMAILER_REPORTBUG autolearn=ham
	version=3.2.3-bugs.debian.org_2005_01_02
Received: from caffeine.csclub.uwaterloo.ca ([129.97.134.17])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <mspang at csclub.uwaterloo.ca>) id 1NKKv7-0002mS-0p
	for submit at bugs.debian.org; Tue, 15 Dec 2009 00:05:41 +0000
Received: from caffeine.csclub.uwaterloo.ca (localhost [127.0.0.1])
	by caffeine.csclub.uwaterloo.ca (Postfix) with ESMTP id 6959E53FAB;
	Mon, 14 Dec 2009 18:59:55 -0500 (EST)
Received: from artificial-flavours (artificial-flavours.csclub.uwaterloo.ca
	[129.97.134.33])
	by caffeine.csclub.uwaterloo.ca (Postfix) with SMTP id 5C72653D72;
	Mon, 14 Dec 2009 18:59:54 -0500 (EST)
Received: by artificial-flavours (sSMTP sendmail emulation);
	Mon, 14 Dec 2009 18:59:54 -0500
From: Michael Spang <mspang at csclub.uwaterloo.ca>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Message-ID: <20091214235954.19052.15654.reportbug at artificial-flavours.csclub.uwaterloo.ca>
X-Mailer: reportbug 3.48
Date: Mon, 14 Dec 2009 18:59:54 -0500
X-Virus-Scanned: ClamAV using ClamSMTP
X-Greylist: delayed 344 seconds by postgrey-1.27 at rietz;
	Tue, 15 Dec 2009 00:05:40 UTC
Delivered-To: submit at bugs.debian.org
Resent-Sender: Debian BTS <debbugs at rietz.debian.org>
Resent-Date: Tue, 15 Dec 2009 00:09:08 +0000
X-Brightmail-Tracker: AAAAAwDGA3ERlBJrEgUL4A==
X-Spam-Score: 0.001
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Mon Dec 14 19:10:48 2009
X-DSPAM-Confidence: 0.7584
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 8042,4b26d40817761092420930
X-DSPAM-Factors: 27, From*Michael Spang <mspang at csclub.uwaterloo.ca>, 0.00059,
	To*Debian, 0.00234, kdc, 0.00699, kdc, 0.00699,
	Received*with+local, 0.00712, Received*local+(Exim, 0.00720,
	X-Greylist*by, 0.00727, Received*local, 0.00729,
	X-Greylist*delayed, 0.00733,
	Received*station.mit.edu, 0.00734,
	Received*station.mit.edu, 0.00734,
	Received*STATION.MIT.EDU, 0.00735, Received*0500, 0.99214,
	Received*esmtp+(Exim, 0.00841, Received*via, 0.00862,
	Received*[127.0.0.1]), 0.00917, Received*(FORT, 0.00924,
	Received*from+fort, 0.00924,
	Received*station.mit.edu+(FORT, 0.00924,
	Received*POINT, 0.00924, Received*point, 0.00924,
	Received*point, 0.00924, Received*[18.7.7.76]), 0.00925,
	Received*by+fort, 0.00951, X-Greylist*00, 0.99000,
	all+that's, 0.99000, 1+MIT, 0.99000
MIME-Version: 1.0

Package: krb5-kdc-ldap
Version: 1.7dfsg~beta3-1.1
Severity: important

We are using the LDAP backend and the KDC slowly leaks file
descriptors to the LDAP server. The KDC needs to be restarted every
few days since it hits the resource limits for max open file
descriptors and becomes unresponsive. As a side effect, the LDAP
server also reaches its file descriptor limit and becomes
unresponsive.

Here's the tail of the LDAP server log for one crash:

Dec  9 02:33:39 ginseng slapd[21052]: conn=5792 op=0 RESULT tag=97 err=0 text=
Dec  9 02:33:39 ginseng slapd[21052]: conn=5793 fd=1022 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Dec  9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" method=128
Dec  9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" mech=SIMPLE ssf=0
Dec  9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 RESULT tag=97 err=0 text=
Dec  9 02:33:39 ginseng slapd[21052]: conn=5794 fd=1023 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Dec  9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" method=128
Dec  9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" mech=SIMPLE ssf=0
Dec  9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 RESULT tag=97 err=0 text=
Dec  9 02:33:39 ginseng slapd[21052]: daemon: accept(12) failed errno=24 (Too many open files)

The KDC eats up all that's left of the 1024 possible file descriptors
for slapd. The KDC log shows nothing of interest.

We are using the following configuration:

[dbmodules]
        openldap_ldapconf = {
                db_library = kldap
                ldap_kerberos_container_dn = "cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
                ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
                ldap_kadmind_dn = "cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                ldap_servers = ldapi:///
        }


This may be related to #511348 however we do not use krb524d.

Thanks,
Michael Spang

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages krb5-kdc-ldap depends on:
ii  krb5-kdc               1.7dfsg~beta3-1.1 MIT Kerberos key server (KDC)
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libcomerr2             1.41.3-1          common error description library
ii  libgssapi-krb5-2       1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - k
ii  libgssrpc4             1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - G
ii  libk5crypto3           1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - C
ii  libkadm5srv6           1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - K
ii  libkdb5-4              1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - K
ii  libkeyutils1           1.2-9             Linux Key Management Utilities (li
ii  libkrb5-3              1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries
ii  libkrb5support0        1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - S
ii  libldap-2.4-2          2.4.11-1+lenny1   OpenLDAP libraries

krb5-kdc-ldap recommends no packages.

krb5-kdc-ldap suggests no packages.

-- no debconf information

More information about the krb5-bugs mailing list