[Bug 1771805] Re: AD keytab renewal task leaks a file descriptor
Victor Tapia
victor.tapia at canonical.com
Tue Jun 5 14:33:37 UTC 2018
=== VERIFICATION ===
- Using the packages in xenial-proposed:
ubuntu at sssd-xenial:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- proxy back end
ubuntu at sssd-xenial:~$ apt-cache policy sssd
sssd:
Installed: 1.13.4-1ubuntu1.11
Candidate: 1.13.4-1ubuntu1.11
Version table:
*** 1.13.4-1ubuntu1.11 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
100 /var/lib/dpkg/status
- With the same configuration as in the description (ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:
root at sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28
- AD machine password renewal still works:
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1152850
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
* Found realm in keytab: UBUNTU.LOCAL
* Found service principal in keytab: host/sssd-xenial.ubuntu.local
* Found host qualified name in keytab: host/sssd-xenial.ubuntu.local
* Found service principal in keytab: host/sssd-xenial
* Found computer name in keytab: SSSD-XENIAL
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Calculated computer account name from fqdn: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Sending netlogon pings to domain controller: cldap://10.5.0.12
* Received NetLogon info from: DC.ubuntu.local
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-nQYPKJ/krb5.d/adcli-krb5-conf-go6Txj
* Authenticated as default/reset computer account: SSSD-XENIAL
* Looked up short domain name: UBUNTU
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Using computer account name: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Using fully qualified name: sssd-xenial.ubuntu.local
* Enrolling computer name: SSSD-XENIAL
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for SSSD-XENIAL$ at: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
* Retrieved kvno '2' for computer account in directory: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
* Password not too old, no change needed
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local: Insufficient access
* Updated existing computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
---adcli output end---
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503784]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5532].
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5532] finished successfully.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1771805
Title:
AD keytab renewal task leaks a file descriptor
Status in sssd package in Ubuntu:
Fix Released
Status in sssd source package in Xenial:
Fix Committed
Bug description:
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is
open but never closed, leaking a descriptor per request until it hits
the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the
following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5
2. Restart the service and monitor the use of descriptors:
root at sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Regression potential]
* Small, the fix comes from upstream and it's been present for some time.
* A fd could still leak, or the AD machine password renewal could stop working.
[Other info]
The bug is reported and fixed upstream:
https://pagure.io/SSSD/sssd/issue/3017
Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746
Trusty is not affected (feat not implemented) and A/B/C already
include the fix :
$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0
$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
sssd | 1.15.3-2ubuntu1 | artful
sssd | 1.16.1-1ubuntu1 | bionic
sssd | 1.16.1-1ubuntu1 | cosmic
sssd | 1.16.1-1ubuntu3 | cosmic-proposed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1771805/+subscriptions
More information about the Ubuntu-sponsors
mailing list