AD keytab renewal task leaks a file descriptor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Victor Tapia |
Bug Description
[Impact]
When SSSD tries to renew the machine password, a write_to_child_fd is open but never closed, leaking a descriptor per request until it hits the limit and SSSD stops.
[Test Case]
1. With an AD deployed, and having the machine registered, include the following option in sssd.conf:
# This option should only be used to test the machine account renewal task. The option expect 2 integers seperated by a colon (':'). The first integer defines the interval in
# seconds how often the task is run. The second specifies the inital timeout in seconds before the task is run for the first time after startup.
# Default: 86400:750 (24h and 15m)
ad_machine_
2. Restart the service and monitor the use of descriptors:
root@sssd-
38
50
62
74
86
98
110
122
134
146
158
170
182
194
206
217
229
^C
[Regression potential]
* Small, the fix comes from upstream and it's been present for some time.
* A fd could still leak, or the AD machine password renewal could stop working.
[Other info]
The bug is reported and fixed upstream: https:/
Upstream fix commit:
https:/
Trusty is not affected (feat not implemented) and A/B/C already include the fix :
$ git describe 312d211e03b9f37
sssd-1_
$ rmadison sssd
==> sssd | 1.13.4-1ubuntu1.10 | xenial-updates
sssd | 1.15.3-2ubuntu1 | artful
sssd | 1.16.1-1ubuntu1 | bionic
sssd | 1.16.1-1ubuntu1 | cosmic
sssd | 1.16.1-1ubuntu3 | cosmic-proposed
Changed in sssd (Ubuntu): | |
assignee: | nobody → Victor Tapia (vtapia) |
Changed in sssd (Ubuntu Xenial): | |
assignee: | nobody → Victor Tapia (vtapia) |
importance: | Undecided → Medium |
status: | New → In Progress |
description: | updated |
Changed in sssd (Ubuntu): | |
assignee: | Victor Tapia (vtapia) → nobody |
status: | New → Fix Released |
description: | updated |
tags: |
added: verification-done verification-done-xenial removed: verification-needed verification-needed-xenial |
The attachment "Xenial debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]