Ubuntu
sssd package

  1. Bug #1771805
  2. Comment #6

Comment 6 for bug 1771805

Revision history for this message
Victor Tapia (vtapia) wrote :

=== VERIFICATION ===
- Using the packages in xenial-proposed:

ubuntu@sssd-xenial:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.11 amd64 System Security Services Daemon -- proxy back end

ubuntu@sssd-xenial:~$ apt-cache policy sssd
sssd:
  Installed: 1.13.4-1ubuntu1.11
  Candidate: 1.13.4-1ubuntu1.11
  Version table:
 *** 1.13.4-1ubuntu1.11 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

- With the same configuration as in the description (ad_machine_account_password_renewal_opts = 5:5), start SSSD.
- Monitor the fds and confirm there's no leak:

root@sssd-xenial:/var/log/sssd# while true; do ll /proc/$(pidof sssd_be)/fd | wc -l; sleep 60; done
28
28
28
28
28
28

- AD machine password renewal still works:

(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503779]
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5530].
(Mon May 28 10:36:14 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5530] finished successfully.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5532]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1152850
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
 * Found realm in keytab: UBUNTU.LOCAL
 * Found service principal in keytab: host/sssd-xenial.ubuntu.local
 * Found host qualified name in keytab: host/sssd-xenial.ubuntu.local
 * Found service principal in keytab: host/sssd-xenial
 * Found computer name in keytab: SSSD-XENIAL
 * Using fully qualified name: sssd-xenial
 * Using domain name: ubuntu.local
 * Calculated computer account name from fqdn: SSSD-XENIAL
 * Using domain realm: ubuntu.local
 * Sending netlogon pings to domain controller: cldap://10.5.0.12
 * Received NetLogon info from: DC.ubuntu.local
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-nQYPKJ/krb5.d/adcli-krb5-conf-go6Txj
 * Authenticated as default/reset computer account: SSSD-XENIAL
 * Looked up short domain name: UBUNTU
 * Using fully qualified name: sssd-xenial
 * Using domain name: ubuntu.local
 * Using computer account name: SSSD-XENIAL
 * Using domain realm: ubuntu.local
 * Using fully qualified name: sssd-xenial.ubuntu.local
 * Enrolling computer name: SSSD-XENIAL
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for SSSD-XENIAL$ at: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
 * Retrieved kvno '2' for computer account in directory: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
 * Password not too old, no change needed
 * Modifying computer account: userAccountControl
 ! Couldn't set userAccountControl on computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local: Insufficient access
 * Updated existing computer account: CN=sssd-xenial,CN=Computers,DC=ubuntu,DC=local
---adcli output end---
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 5 seconds from last execution time [1527503784]
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x1000): Waiting for child [5532].
(Mon May 28 10:36:19 2018) [sssd[be[ubuntu.local]]] [child_sig_handler] (0x0100): child [5532] finished successfully.