webauthldap(SUNetID): cannot get ticket: Too many open files (24)

Jeffrey Altman jaltman at secure-endpoints.com
Wed Feb 18 01:34:19 EST 2009


Fletcher Cocquyt wrote:
> Hi, I am following the code now on this one - after posting to the webauth list
> a couple weeks ago we are still experiencing  several hundred of these errors
> per day - we have maxed out our file descriptors hard and soft limits at 64k and
> verified with running plimit.
>
> webauthldap(SUNetID): cannot get ticket: Too many open files (24)
>
> Env: Solaris 9, apache 2.0.52, webauth 3.5.4, MIT kerberos krb5-1.4.1
>
> Our apache threads are now approaching 250-300 open files (as reported by lsof).
>
> I suspect the issue may be isolated to the webauth and associated kerberos calls
> to related to keytab and ticket cache operations.  this suspicion is based on:
> 1) error only occurs on mod_webauth protected URLs
> 2) error is always associated with webauthldap(SUNetID): cannot get ticket: Too
> many open files (24) messages
>
> Hypothesis: This version of webauth & kerberos is somehow not using the 64k file
> descriptor limit, but is using a 256 file limit and throwing the error on the
> ticket operations when the apache thread has more than 256 files open.
>
> there are other threads related to the use of char vs int resulting in return
> value overflow...is there a kerberos bug in 1.4.1 version which is since fixed?
>
> thanks
>
I'm going to hazard a guess that the problem is gssapi maintaining an
open file descriptor per context for the replay cache
or that you are experiencing a leak of file descriptors to the replay
cache.  I do not remember exactly the version
that plugged the leak and fixed it by maintaining a rcache fd per gss
context. 

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090218/bb4bb9d7/attachment.bin


More information about the Kerberos mailing list