Ubuntu
sssd package

AD keytab renewal task leaks a file descriptor

Bug #1771805 reported by Victor Tapia
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Medium
Victor Tapia

Bug Description

[Impact]

When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.

[Test Case]

1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:

# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_account_password_renewal_opts = 5:5

2. Restart the service and monitor the use of descriptors:

root@sssd-xenial:/home/ubuntu# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C

[Regression potential]

* Small, the fix comes from upstream and it's been present for some time.
* A fd could still leak, or the AD machine password renewal could stop working.

[Other info]

The bug is reported and fixed upstream: https://pagure.io/SSSD/sssd/issue/3017

Upstream fix commit:
https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746

Trusty is not affected (feat not implemented) and A/B/C already include the fix :

$ git describe 312d211e03b9f3769a0362f1767cc59792e32746
sssd-1_13_4-10-g312d211e0

$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
    sssd | 1.15.3-2ubuntu1 | artful
    sssd | 1.16.1-1ubuntu1 | bionic
    sssd | 1.16.1-1ubuntu1 | cosmic
    sssd | 1.16.1-1ubuntu3 | cosmic-proposed

See original description
Victor Tapia (vtapia)
Changed in sssd (Ubuntu):
assignee: nobody → Victor Tapia (vtapia)
Revision history for this message
Victor Tapia (vtapia) wrote :
tags: added: sts-sru-needed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Xenial debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Eric Desrochers (slashd)
Changed in sssd (Ubuntu Xenial):
assignee: nobody → Victor Tapia (vtapia)
importance: Undecided → Medium
status: New → In Progress
description: updated
Changed in sssd (Ubuntu):
assignee: Victor Tapia (vtapia) → nobody
status: New → Fix Released
Revision history for this message
Eric Desrochers (slashd) wrote :

Sponsored for Xenial.

It is now waiting in the xenial upload queue on SRU verification team approval to start building in xenial-proposed and enter the testing phase.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Could we get a regression potential field on this bug? Thank you!

Victor Tapia (vtapia)
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Victor Tapia (vtapia) wrote :
Download full text (5.8 KiB)

=== VERIFICATION ===
- Using the packages in xenial-proposed:

ubuntu@sssd-xenial:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- proxy back end

ubuntu@sssd-xenial:~$ apt-cache policy sssd
sssd:
  Installed: 1.13.4-1ubuntu1.11
  Candidate: 1.13.4-1ubuntu1.11
  Version table:
 *** 1.13.4-1ubuntu1.11 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

- With the same configuration as in the description (ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:

root@sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28

- AD machine password renewal still works:

(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1152850
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon May 28 10:36:...

Read more...

Victor Tapia (vtapia)
tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.11

---------------
sssd (1.13.4-1ubuntu1.11) xenial; urgency=medium

  * d/p/fix-ad-passwd-renewal-fd-leak.diff: Fix fd leak triggered by the AD
    machine password renewal task (LP: #1771805).

 -- Victor Tapia <email address hidden> Thu, 17 May 2018 12:49:25 +0200

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.