=== VERIFICATION ===
- Using the packages in xenial-proposed:
ubuntu@sssd-xenial:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11
amd64 System Security Services Daemon -- proxy back end
ubuntu@sssd-xenial:~$ apt-cache policy sssd
sssd:
Installed: 1.13.4-1ubuntu1.11
Candidate: 1.13.4-1ubuntu1.11
Version table:
*** 1.13.4-1ubuntu1.11 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-proposed/main
amd64 Packages
100 /var/lib/dpkg/status
- With the same configuration as in the description
(ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:
root@sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd |
wc -l; sleep 60; done
28
28
28
28
28
28
- AD machine password renewal still works:
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400):
Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule]
(0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds
from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler]
(0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler]
(0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute]
(0x0400): Task [AD machine account password renewal]: executing task, timeout
60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000):
dbus conn: 0x1152850
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]]
[ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
* Found realm in keytab: UBUNTU.LOCAL
* Found service principal in keytab: host/sssd-xenial.ubuntu.local
* Found host qualified name in keytab: host/sssd-xenial.ubuntu.local
* Found service principal in keytab: host/sssd-xenial
* Found computer name in keytab: SSSD-XENIAL
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Calculated computer account name from fqdn: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Sending netlogon pings to domain controller: cldap://10.5.0.12
* Received NetLogon info from: DC.ubuntu.local
* Wrote out krb5.conf snippet to
/tmp/adcli-krb5-nQYPKJ/krb5.d/adcli-krb5-conf-go6Txj
* Authenticated as default/reset computer account: SSSD-XENIAL
* Looked up short domain name: UBUNTU
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Using computer account name: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Using fully qualified name: sssd-xenial.ubuntu.local
* Enrolling computer name: SSSD-XENIAL
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for SSSD-XENIAL$ at:
CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
* Retrieved kvno '2' for computer account in directory:
CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
* Password not too old, no change needed
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account:
CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local: Insufficient access
* Updated existing computer account:
CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
---adcli output end---
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400):
Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule]
(0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds
from last execution time [1527503784]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler]
(0x1000): Waiting for child [5532].
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler]
(0x0100): child [5532] finished successfully.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771805
Title:
AD keytab renewal task leaks a file descriptor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1771805/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
