[11247] in Kerberos-V5-bugs
[krbdev.mit.edu #6596] [Michael Spang] Bug#561176: krb5-kdc-ldap:
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Tue Dec 15 09:30:30 2009
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Sam Hartman via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6596@krbdev.mit.edu>
Message-ID: <rt-6596-31917.10.753389201727@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6596'":;"'AdminCc of krbdev.mit.edu Ticket #6596'":;@MIT.EDU
Date: Tue, 15 Dec 2009 14:29:47 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Return-Path: <debbugs@rietz.debian.org>
Received: from localhost ([unix socket])
by mail.suchdamage.org (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
Mon, 14 Dec 2009 19:10:48 -0500
X-Sieve: CMU Sieve 2.2
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
[18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.suchdamage.org (Postfix) with ESMTPS id 9CD06201F4
for <hartmans@suchdamage.org>; Mon, 14 Dec 2009 19:10:37 -0500 (EST)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
nBF0AXbt026926
for <hartmans@suchdamage.org>; Mon, 14 Dec 2009 19:10:33 -0500 (EST)
Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU
[18.7.68.35])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
nBF0ALZq015894
for <hartmans@mit.edu>; Mon, 14 Dec 2009 19:10:29 -0500 (EST)
X-AuditID: 12074423-b7c05ae000006913-f5-4b26d3ea44f2
Received: from rietz.debian.org (rietz.debian.org [140.211.166.43])
by (Symantec Brightmail Gateway) with SMTP id 65.45.26899.AE3D62B4;
Mon, 14 Dec 2009 19:10:19 -0500 (EST)
Received: from debbugs by rietz.debian.org with local (Exim 4.63)
(envelope-from <debbugs@rietz.debian.org>)
id 1NKKyS-0008Mv-IQ; Tue, 15 Dec 2009 00:09:08 +0000
X-Loop: owner@bugs.debian.org
Subject: Bug#561176: krb5-kdc-ldap: krb5kdc leaks file descriptors
Reply-To: Michael Spang <mspang@csclub.uwaterloo.ca>, 561176@bugs.debian.org
Resent-From: Michael Spang <mspang@csclub.uwaterloo.ca>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Sam Hartman <hartmans@debian.org>
X-Loop: owner@bugs.debian.org
Resent-Date: Tue, 15 Dec 2009 00:09:05 +0000
Resent-Message-ID: <handler.561176.B.126083554110808@bugs.debian.org>
X-Debian-PR-Message: report 561176
X-Debian-PR-Package: krb5-kdc-ldap
X-Debian-PR-Keywords:
X-Debian-PR-Source: krb5
Received: via spool by submit@bugs.debian.org id=B.126083554110808
(code B ref -1); Tue, 15 Dec 2009 00:09:05 +0000
Received: (at submit) by bugs.debian.org; 15 Dec 2009 00:05:41 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
(2007-08-08) on rietz.debian.org
X-Spam-Bayes: score:0.0000 Tokens: new, 36; hammy, 148; neutral, 132; spammy,
3. spammytokens:0.997-1--ginseng, 0.993-1--H*M:19052,
0.993-1--H*MI:19052
hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug,
0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--H*x:3.48
X-Spam-Status: No, score=-9.5 required=4.0 tests=BAYES_00, FOURLA, HAS_PACKAGE,
IMPRONONCABLE_1, IMPRONONCABLE_2, MURPHY_WRONG_WORD1, MURPHY_WRONG_WORD2,
RCVD_IN_DNSWL_MED,XMAILER_REPORTBUG autolearn=ham
version=3.2.3-bugs.debian.org_2005_01_02
Received: from caffeine.csclub.uwaterloo.ca ([129.97.134.17])
by rietz.debian.org with esmtp (Exim 4.63)
(envelope-from <mspang@csclub.uwaterloo.ca>) id 1NKKv7-0002mS-0p
for submit@bugs.debian.org; Tue, 15 Dec 2009 00:05:41 +0000
Received: from caffeine.csclub.uwaterloo.ca (localhost [127.0.0.1])
by caffeine.csclub.uwaterloo.ca (Postfix) with ESMTP id 6959E53FAB;
Mon, 14 Dec 2009 18:59:55 -0500 (EST)
Received: from artificial-flavours (artificial-flavours.csclub.uwaterloo.ca
[129.97.134.33])
by caffeine.csclub.uwaterloo.ca (Postfix) with SMTP id 5C72653D72;
Mon, 14 Dec 2009 18:59:54 -0500 (EST)
Received: by artificial-flavours (sSMTP sendmail emulation);
Mon, 14 Dec 2009 18:59:54 -0500
From: Michael Spang <mspang@csclub.uwaterloo.ca>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20091214235954.19052.15654.reportbug@artificial-flavours.csclub.uwaterloo.ca>
X-Mailer: reportbug 3.48
Date: Mon, 14 Dec 2009 18:59:54 -0500
X-Virus-Scanned: ClamAV using ClamSMTP
X-Greylist: delayed 344 seconds by postgrey-1.27 at rietz;
Tue, 15 Dec 2009 00:05:40 UTC
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@rietz.debian.org>
Resent-Date: Tue, 15 Dec 2009 00:09:08 +0000
X-Brightmail-Tracker: AAAAAwDGA3ERlBJrEgUL4A==
X-Spam-Score: 0.001
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Mon Dec 14 19:10:48 2009
X-DSPAM-Confidence: 0.7584
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 8042,4b26d40817761092420930
X-DSPAM-Factors: 27, From*Michael Spang <mspang@csclub.uwaterloo.ca>, 0.00059,
To*Debian, 0.00234, kdc, 0.00699, kdc, 0.00699,
Received*with+local, 0.00712, Received*local+(Exim, 0.00720,
X-Greylist*by, 0.00727, Received*local, 0.00729,
X-Greylist*delayed, 0.00733,
Received*station.mit.edu, 0.00734,
Received*station.mit.edu, 0.00734,
Received*STATION.MIT.EDU, 0.00735, Received*0500, 0.99214,
Received*esmtp+(Exim, 0.00841, Received*via, 0.00862,
Received*[127.0.0.1]), 0.00917, Received*(FORT, 0.00924,
Received*from+fort, 0.00924,
Received*station.mit.edu+(FORT, 0.00924,
Received*POINT, 0.00924, Received*point, 0.00924,
Received*point, 0.00924, Received*[18.7.7.76]), 0.00925,
Received*by+fort, 0.00951, X-Greylist*00, 0.99000,
all+that's, 0.99000, 1+MIT, 0.99000
MIME-Version: 1.0
Package: krb5-kdc-ldap
Version: 1.7dfsg~beta3-1.1
Severity: important
We are using the LDAP backend and the KDC slowly leaks file
descriptors to the LDAP server. The KDC needs to be restarted every
few days since it hits the resource limits for max open file
descriptors and becomes unresponsive. As a side effect, the LDAP
server also reaches its file descriptor limit and becomes
unresponsive.
Here's the tail of the LDAP server log for one crash:
Dec 9 02:33:39 ginseng slapd[21052]: conn=5792 op=0 RESULT tag=97 err=0 text=
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 fd=1022 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" method=128
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" mech=SIMPLE ssf=0
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 RESULT tag=97 err=0 text=
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 fd=1023 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" method=128
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 BIND dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" mech=SIMPLE ssf=0
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 RESULT tag=97 err=0 text=
Dec 9 02:33:39 ginseng slapd[21052]: daemon: accept(12) failed errno=24 (Too many open files)
The KDC eats up all that's left of the 1024 possible file descriptors
for slapd. The KDC log shows nothing of interest.
We are using the following configuration:
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
ldap_kadmind_dn = "cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldapi:///
}
This may be related to #511348 however we do not use krb524d.
Thanks,
Michael Spang
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages krb5-kdc-ldap depends on:
ii krb5-kdc 1.7dfsg~beta3-1.1 MIT Kerberos key server (KDC)
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libgssapi-krb5-2 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - k
ii libgssrpc4 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - G
ii libk5crypto3 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - C
ii libkadm5srv6 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - K
ii libkdb5-4 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - K
ii libkeyutils1 1.2-9 Linux Key Management Utilities (li
ii libkrb5-3 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries
ii libkrb5support0 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - S
ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
krb5-kdc-ldap recommends no packages.
krb5-kdc-ldap suggests no packages.
-- no debconf information
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
