too many connections / dropping tcp fd in 1.9.1

Paul B. Henson henson at acm.org
Mon Oct 17 21:22:35 EDT 2011 

Hmm, guess I should have google'd a *little* bit more before posting :).

I found:

	http://old.nabble.com/-krbdev.mit.edu--6949--TCP-connection-leak-with-1.9.1,-with-connect_to_server%28%29-p32342798.html

and it looks like this is already fixed in dev:

	http://krbdev.mit.edu/rt/Ticket/Display.html?id=6949

Is there an ETA for a new version release with this fix? I guess I'll
just apply it locally for now...


On Mon, Oct 17, 2011 at 06:16:27PM -0700, Paul B. Henson wrote:
> We recently upgraded our kerberos deployment from 1.8.4 to 1.9.1 (we run
> Gentoo linux). Since then, we've noticed messages like
> 
> Oct 15 18:10:11 halfy kadmind[25046]: too many connections
> Oct 15 18:10:11 halfy kadmind[25046]: dropping tcp fd 36 from 134.71.247.23.46955
> 
> popping up in the logs. Looking into it, I think I've tracked this down
> to a connection leak in a mod_perl based web service used in our
> identity management infrastructure. We use the modules Authen::Krb5 and
> Authen::Krb5::Admin to manage our kerberos principals. Each apache process
> should have only one connection open to kadmin at a time, but at this
> point they seem to built up multiple connections per process over time:
> 
> apache2   18313 apache   23u  IPv4 6687820      0t0  TCP
> derp.unx.csupomona.edu:43357->halfy.unx.csupomona.edu:kerberos-adm
> (ESTABLISHED)
> apache2   18313 apache   24u  IPv4 6854962      0t0  TCP
> derp.unx.csupomona.edu:45101->halfy.unx.csupomona.edu:kerberos-adm
> (ESTABLISHED)
> apache2   18313 apache   25u  IPv4 6793863      0t0  TCP
> derp.unx.csupomona.edu:47373->halfy.unx.csupomona.edu:kerberos-adm
> (ESTABLISHED)
> apache2   18313 apache   26u  IPv4 6963881      0t0  TCP
> derp.unx.csupomona.edu:39611->halfy.unx.csupomona.edu:kerberos-adm
> (ESTABLISHED)
> apache2   18313 apache   28u  IPv4 7034009      0t0  TCP
> derp.unx.csupomona.edu:50685->halfy.unx.csupomona.edu:kerberos-adm
> (ESTABLISHED)
> 
> I reinstalled 1.8.4 on a test box, and verified that code like:
> 
>   while (1) {
>     $kadm5 = Authen::Krb5::Admin->init_with_password($user, $password);
>   }
> 
> under 1.8.4 closes the TCP connection each time a new connection is
> made, but under 1.9.1, the exact same code leaks a connection every
> time.
> 
> It looks like under the hood, Authen::Krb5::Admin is just calling
> kadm5_destroy in the object destructor. Can anybody think of a reason
> that under 1.9.1 this is not releasing the connection? Does
> Authen::Krb5::Admin need an update to be compatible with kerberos 1.9.1?
> 
> Any help much appreciated, thanks...

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the Kerberos mailing list