Package: krb5-kdc-ldap
Version: 1.7dfsg~beta3-1.1
Severity: important
We are using the LDAP backend and the KDC slowly leaks file
descriptors to the LDAP server. The KDC needs to be restarted every
few days since it hits the resource limits for max open file
descriptors and becomes unresponsive. As a side effect, the LDAP
server also reaches its file descriptor limit and becomes
unresponsive.
Here's the tail of the LDAP server log for one crash:
Dec 9 02:33:39 ginseng slapd[21052]: conn=5792 op=0 RESULT tag=97 err=0 text=
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 fd=1022 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 BIND
dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" method=128
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 BIND
dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" mech=SIMPLE ssf=0
Dec 9 02:33:39 ginseng slapd[21052]: conn=5793 op=0 RESULT tag=97 err=0 text=
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 fd=1023 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 BIND
dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" method=128
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 BIND
dn="cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca" mech=SIMPLE ssf=0
Dec 9 02:33:39 ginseng slapd[21052]: conn=5794 op=0 RESULT tag=97 err=0 text=
Dec 9 02:33:39 ginseng slapd[21052]: daemon: accept(12) failed errno=24 (Too
many open files)
The KDC eats up all that's left of the 1024 possible file descriptors
for slapd. The KDC log shows nothing of interest.
We are using the following configuration:
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn =
"cn=kerberos,dc=csclub,dc=uwaterloo,dc=ca"
ldap_kdc_dn = "cn=kerberos-kdc,dc=csclub,dc=uwaterloo,dc=ca"
ldap_kadmind_dn =
"cn=kerberos-admin,dc=csclub,dc=uwaterloo,dc=ca"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldapi:///
}
This may be related to #511348 however we do not use krb524d.
Thanks,
Michael Spang
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages krb5-kdc-ldap depends on:
ii krb5-kdc 1.7dfsg~beta3-1.1 MIT Kerberos key server (KDC)
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libgssapi-krb5-2 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - k
ii libgssrpc4 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - G
ii libk5crypto3 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - C
ii libkadm5srv6 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - K
ii libkdb5-4 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - K
ii libkeyutils1 1.2-9 Linux Key Management Utilities (li
ii libkrb5-3 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries
ii libkrb5support0 1.7dfsg~beta3-1.1 MIT Kerberos runtime libraries - S
ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
krb5-kdc-ldap recommends no packages.
krb5-kdc-ldap suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
