=== VERIFICATION ===
- Using the packages in xenial-proposed:
ubuntu@sssd-xenial:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- proxy back end
- With the same configuration as in the description (ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:
root@sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28
- AD machine password renewal still works:
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1152850
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
* Found realm in keytab: UBUNTU.LOCAL
* Found service principal in keytab: host/sssd-xenial.ubuntu.local
* Found host qualified name in keytab: host/sssd-xenial.ubuntu.local
* Found service principal in keytab: host/sssd-xenial
* Found computer name in keytab: SSSD-XENIAL
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Calculated computer account name from fqdn: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Sending netlogon pings to domain controller: cldap://10.5.0.12
* Received NetLogon info from: DC.ubuntu.local
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-nQYPKJ/krb5.d/adcli-krb5-conf-go6Txj
* Authenticated as default/reset computer account: SSSD-XENIAL
* Looked up short domain name: UBUNTU
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Using computer account name: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Using fully qualified name: sssd-xenial.ubuntu.local
* Enrolling computer name: SSSD-XENIAL
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for SSSD-XENIAL$ at: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
* Retrieved kvno '2' for computer account in directory: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
* Password not too old, no change needed
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local: Insufficient access
* Updated existing computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
---adcli output end---
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503784]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5532].
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5532] finished successfully.
=== VERIFICATION ===
- Using the packages in xenial-proposed:
ubuntu@ sssd-xenial: ~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- proxy back end
ubuntu@ sssd-xenial: ~$ apt-cache policy sssd nova.clouds. archive. ubuntu. com/ubuntu xenial- proposed/ main amd64 Packages dpkg/status
sssd:
Installed: 1.13.4-1ubuntu1.11
Candidate: 1.13.4-1ubuntu1.11
Version table:
*** 1.13.4-1ubuntu1.11 500
500 http://
100 /var/lib/
- With the same configuration as in the description (ad_machine_ account_ password_ renewal_ opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:
root@sssd- xenial: /var/log/ sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28
- AD machine password renewal still works:
(Mon May 28 10:36:14 2018) [sssd[be[ ubuntu. local]] ] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully ubuntu. local]] ] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779] ubuntu. local]] ] [child_sig_handler] (0x1000): Waiting for child [5530]. ubuntu. local]] ] [child_sig_handler] (0x0100): child [5530] finished successfully. ubuntu. local]] ] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds ubuntu. local]] ] [child_ handler_ setup] (0x2000): Setting up signal handler up for pid [5532] ubuntu. local]] ] [child_ handler_ setup] (0x2000): Signal handler set up for pid [5532] ubuntu. local]] ] [sbus_dispatch] (0x4000): dbus conn: 0x1152850 ubuntu. local]] ] [sbus_dispatch] (0x4000): Dispatching. ubuntu. local]] ] [sbus_message_ handler] (0x2000): Received SBUS method org.freedesktop .sssd.service. ping on path /org/freedeskto p/sssd/ service ubuntu. local]] ] [sbus_get_ sender_ id_send] (0x2000): Not a sysbus message, quit ubuntu. local]] ] [read_pipe_handler] (0x0400): EOF received, client finished ubuntu. local]] ] [ad_machine_ account_ password_ renewal_ done] (0x1000): --- adcli output start--- xenial. ubuntu. local xenial. ubuntu. local krb5-nQYPKJ/ krb5.d/ adcli-krb5- conf-go6Txj ubuntu. local krb5.keytab xenial, CN=Computers, DC=ubuntu, DC=local xenial, CN=Computers, DC=ubuntu, DC=local xenial, CN=Computers, DC=ubuntu, DC=local: Insufficient access xenial, CN=Computers, DC=ubuntu, DC=local ubuntu. local]] ] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully ubuntu. local]] ] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503784] ubuntu. local]] ] [child_sig_handler] (0x1000): Waiting for child [5532]. ubuntu. local]] ] [child_sig_handler] (0x0100): child [5532] finished successfully.
(Mon May 28 10:36:14 2018) [sssd[be[
(Mon May 28 10:36:14 2018) [sssd[be[
(Mon May 28 10:36:14 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
* Found realm in keytab: UBUNTU.LOCAL
* Found service principal in keytab: host/sssd-
* Found host qualified name in keytab: host/sssd-
* Found service principal in keytab: host/sssd-xenial
* Found computer name in keytab: SSSD-XENIAL
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Calculated computer account name from fqdn: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Sending netlogon pings to domain controller: cldap://10.5.0.12
* Received NetLogon info from: DC.ubuntu.local
* Wrote out krb5.conf snippet to /tmp/adcli-
* Authenticated as default/reset computer account: SSSD-XENIAL
* Looked up short domain name: UBUNTU
* Using fully qualified name: sssd-xenial
* Using domain name: ubuntu.local
* Using computer account name: SSSD-XENIAL
* Using domain realm: ubuntu.local
* Using fully qualified name: sssd-xenial.
* Enrolling computer name: SSSD-XENIAL
* Generated 120 character computer password
* Using keytab: FILE:/etc/
* Found computer account for SSSD-XENIAL$ at: CN=sssd-
* Retrieved kvno '2' for computer account in directory: CN=sssd-
* Password not too old, no change needed
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account: CN=sssd-
* Updated existing computer account: CN=sssd-
---adcli output end---
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[
(Mon May 28 10:36:19 2018) [sssd[be[