Bug#511348: krb5-kdc-ldap: krb524d establishes lots of connections to LDAP over time

[Lars Hanke]

Package: krb5-kdc-ldap
Version: 1.6.dfsg.4~beta1-5
Severity: important

After restarting krb524d opens 5 connections to ldap on my system. Some 
minutes later, i.e. now, it has already 56 connections - all from the 
same PID. Since the KDC is not productive yet, I'm not aware of any 
requests handled in the meantime. Once it reaches the limit of its 
OpenVZ container it uses 100% CPU. From the outside the KDC remains 
responsive (now it's 70 connections!). I only noticed the issue, because 
of the high CPU load and then because of user_bean hits. Increment is in 
lots of 5 connections.

Apart from a single UDP connection to 4444 it does not entertain any 
other connections according to lsof -i.

... now it's 115 connections ... lsof -i reports:

krb524d 687     root    4u  IPv4 155440       TCP 
hel.mgr:47962->hel.mgr:ldaps (ESTABLISHED)
krb524d 687     root    7u  IPv4 155445       TCP 
hel.mgr:47963->hel.mgr:ldaps (ESTABLISHED)
krb524d 687     root    8u  IPv4 155450       TCP 
hel.mgr:47964->hel.mgr:ldaps (ESTABLISHED)
krb524d 687     root    9u  IPv4 155455       TCP 
hel.mgr:47965->hel.mgr:ldaps (ESTABLISHED)
...
krb524d 687     root  139u  IPv4 158877       TCP 
hel.mgr:40286->hel.mgr:ldaps (ESTABLISHED)
krb524d 687     root  140u  IPv4 158882       TCP 
hel.mgr:40287->hel.mgr:ldaps (ESTABLISHED)
krb524d 687     root  141u  IPv4 158887       TCP 
hel.mgr:40288->hel.mgr:ldaps (ESTABLISHED)
krb524d 687     root  142u  IPv4 158892       TCP 
hel.mgr:40289->hel.mgr:ldaps (ESTABLISHED)

Another observation is that the KDC does not start automatically on 
boot. It could be a simple misconfiguration (setting enable somewhere), 
but maybe it's another evidence. Starting manually using 
/etc/init.d/krb5-kdc start works flawlessly.  Doing a restart kills all 
the bogous connections and starts the game from the beginning.

All my test Tickets are obtained correctly. From the outside the KDC 
appears completely sane.

-- System Information:
Debian Release: 5.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-openvz-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages krb5-kdc-ldap depends on:
ii  krb5-kdc              1.6.dfsg.4~beta1-5 MIT Kerberos key server (KDC)
ii  libc6                 2.7-16             GNU C Library: Shared libraries
ii  libcomerr2            1.41.3-1           common error description 
library
ii  libkadm55             1.6.dfsg.4~beta1-5 MIT Kerberos administration 
runtim
ii  libkeyutils1          1.2-9              Linux Key Management 
Utilities (li
ii  libkrb53              1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.11-1           OpenLDAP libraries

krb5-kdc-ldap recommends no packages.

krb5-kdc-ldap suggests no packages.

-- no debconf information




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org