[Bug 1771805] Re: AD keytab renewal task leaks a file descriptor

Thu May 24 14:14:33 UTC 2018

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.11 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: sssd (Ubuntu Xenial)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1771805

Title:
  AD keytab renewal task leaks a file descriptor

Status in sssd package in Ubuntu:
  Fix Released
Status in sssd source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  When SSSD tries to renew the machine password, a write_to_child_fd is
  open but never closed, leaking a descriptor per request until it hits
  the limit and SSSD stops.

  [Test Case]

  1. With an AD deployed, and having the machine registered, include the
  following option in sssd.conf:

  # This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
  # seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
  # Default: 86400:750 (24h and 15m)
  ad_machine_account_password_renewal_opts = 5:5

  2. Restart the service and monitor the use of descriptors:

  root at sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
  38
  50
  62
  74
  86
  98
  110
  122
  134
  146
  158
  170
  182
  194
  206
  217
  229
  ^C

  [Regression potential]

  * Small, the fix comes from upstream and it's been present for some time.
  * A fd could still leak, or the AD machine password renewal could stop working.

  [Other info]

  The bug is reported and fixed upstream:
  https://pagure.io/SSSD/sssd/issue/3017

  Upstream fix commit:
  https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746

  Trusty is not affected (feat not implemented) and A/B/C already
  include the fix :

  $ git describe 312d211e03b9f3769a0362f1767cc59792e32746
  sssd-1_13_4-10-g312d211e0

  $ rmadison sssd
  ==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
      sssd | 1.15.3-2ubuntu1    | artful
      sssd | 1.16.1-1ubuntu1    | bionic
      sssd | 1.16.1-1ubuntu1    | cosmic
      sssd | 1.16.1-1ubuntu3    | cosmic-proposed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1771805/+subscriptions