AD keytab renewal task leaks a file descriptor

Bug #1771805 reported by Victor Tapia on 2018-05-17
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Victor Tapia

Bug Description

[Impact]

When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.

[Test Case]

1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:

# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5

2. Restart the service and monitor the use of descriptors:

root@sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C

[Regression potential]

* Small, the fix comes from upstream and it's been present for some time.
* A fd could still leak, or the AD machine password renewal could stop working.

[Other info]

The bug is reported and fixed upstream: https://pagure.io/SSSD/sssd/issue/3017

Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746

Trusty is not affected (feat not implemented) and A/B/C already include the fix :

$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0

$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
    sssd | 1.15.3-2ubuntu1 | artful
    sssd | 1.16.1-1ubuntu1 | bionic
    sssd | 1.16.1-1ubuntu1 | cosmic
    sssd | 1.16.1-1ubuntu3 | cosmic-proposed

Victor Tapia (vtapia) on 2018-05-17
Changed in sssd (Ubuntu):
assignee: nobody → Victor Tapia (vtapia)
Victor Tapia (vtapia) wrote :
tags: added: sts-sru-needed

The attachment "Xenial debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Eric Desrochers (slashd) on 2018-05-18
Changed in sssd (Ubuntu Xenial):
assignee: nobody → Victor Tapia (vtapia)
importance: Undecided → Medium
status: New → In Progress
description: updated
Changed in sssd (Ubuntu):
assignee: Victor Tapia (vtapia) → nobody
status: New → Fix Released
Eric Desrochers (slashd) wrote :

Sponsored for Xenial.

It is now waiting in the xenial upload queue on SRU verification team approval to start building in xenial-proposed and enter the testing phase.

Łukasz Zemczak (sil2100) wrote :

Could we get a regression potential field on this bug? Thank you!

Victor Tapia (vtapia) on 2018-05-24
description: updated

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Victor Tapia (vtapia) wrote :
Download full text (5.8 KiB)

=== VERIFICATION ===
- Using the packages in xenial-proposed:

ubuntu@sssd-xenial:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- proxy back end

ubuntu@sssd-xenial:~$ apt-cache policy sssd
sssd:
  Installed: 1.13.4-1ubuntu1.11
  Candidate: 1.13.4-1ubuntu1.11
  Version table:
 *** 1.13.4-1ubuntu1.11 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

- With the same configuration as in the description (ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:

root@sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28

- AD machine password renewal still works:

(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1152850
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon May 28 10:36:...

Read more...

Victor Tapia (vtapia) on 2018-06-06
tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.11

---------------
sssd (1.13.4-1ubuntu1.11) xenial; urgency=medium

  * d/p/fix-ad-passwd-renewal-fd-leak.diff: Fix fd leak triggered by the AD
    machine password renewal task (LP: #1771805).

 -- Victor Tapia <email address hidden> Thu, 17 May 2018 12:49:25 +0200

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers