Bug 1588596

Summary: many adcli-krb5-????? directories are created /tmp
Product: Red Hat Enterprise Linux 7 Reporter: Avigdor Finkelstein <avigdorfin>
Component: adcliAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.6CC: avigdorfin, cpelland, lslebodn, mpolovka, pcech, pkis, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: adcli-0.8.1-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:11:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1647919    

Description Avigdor Finkelstein 2018-06-07 15:09:10 UTC
Description of problem:
Every 5 minutes a small tree is created in /tmp like that:
/tmp/adcli-krb5-xxxxx
`- krb5.d 
   `- adcli-krb5-conf-XXXXX

The file is a partial duplication of /etc/krb5.conf
The file are gathered and I discovered them when there were about 5000 trees like that on each server. Now I clean them weekly, with a cron job.
Yet, this is still a bug that need to be solved.

Version-Release number of selected component (if applicable):
Main release are RHEL 7.3 and 7.4
adcli-0.8.* and
sssd-1.14 or
sssd-1.15 or
sssd-1.16

How reproducible:
I only guess that the problem lies with AD records that include Hebrew ISO codes combines with double-quote (") that follow a back-slash (\), for example
from sssd logs:
(Mon Mar 26 12:25:25 2018) [sssd[be[default]]] [ad_enum_cross_dom_members]
(0x0080): Failed to add [CN=אגף/פיתוח/מחלקה/קבוצה
ארה\"ב,OU=Groups,OU=Site,OU=Company,DC=com]: Input/output error 
Note: The Hebrew string  is reversed by the mailer editor, but
I guess that would help only to whom may able to recognize the letters.

And a second example:
Date Time [sssd[be[default]]]  [ad_enum_cross_dom_numbers] (0x0080): Failed
to add [CN=ב\"כג/דכ\"ד/קקר,OU=כע\"י/רח\"ג/עיחעגד חיכגח//חיחי 456,OU=ANOTHER
OU,OU=YET MORE,DC=realm]: Input/outoput error
Date Time [sssd[be[default]]] [ldb] (0X4000): Added timed event
"ltdb_callback": 0x55b66975178b0

Steps to Reproduce:
1. Again, I only guess that creating users with CN and OU that include strings like described above, will create the problem that leave the small tree of files in /tmp every 5 minutes.
2.
3.

Actual results:


Expected results:


Additional info:
There are cases that I created with a local analyst in Israel and with RED HAT support, but since I didn't get reasonable response, I hope that a record in Bugzilla will expedite the solution.

Comment 2 Sumit Bose 2018-06-07 17:32:02 UTC
Hi,

If adding 'ad_maximum_machine_account_password_age = 0' to the [domain/...] section of sssd.conf does not help please add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD, let it run for e.g. 15min and attach the /var/log/sssd/sssd_your.domain.name.log to this ticket.

bye,
Sumit

Comment 8 Manu Augustine 2018-07-12 13:39:51 UTC
Customer confirmed test packed worked for him. No more krb temp files.

Thanks Sumit.

Comment 9 Sumit Bose 2018-12-07 13:10:27 UTC
To reproduce I would remove the 'NAME$@AD.REALM' entry from the keytab
and call 'adcli update'. Without the fix there should be a
/tmp/adcli-krb5-xxxxx left in /tmp/. With the fix there should be no
such directory.

Comment 11 Avigdor Finkelstein 2019-03-17 07:02:42 UTC
I'm sorry to inform that the fix above was applied and did not solve the problem. Those small file trees continue to accumulate in /tmp, one every 5 minutes. The problem appeared first on RHEL 7.3, continued on 7.4, solved on 7.5 and sadly appear again on RHEL 7.6.
The temporary solution is to remove the adcli rpm of 7.6 and reapply the 7.5 rpm.
Please open the problem again.

Comment 12 Avigdor Finkelstein 2019-03-17 07:06:33 UTC
The description above related to Hebrew letters, was a wrong guess. 
Actually the problem is caused by the Lower case user principal versus an Upper case one. Windows is case insensitive, yet Linux and MIT are case sensitive.

Comment 15 Sumit Bose 2019-04-09 16:26:44 UTC
*** Bug 1698063 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2019-08-06 13:11:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2256