Bug 761006

Summary: Leaking rcache opens in gss_accept_context
Product: Red Hat Enterprise Linux 6 Reporter: bcodding
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Zbysek MRAZ <zmraz>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dpal, ebenes, jplans, jwest, mpoole, ndevos, prc, xhejtman
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.9-25.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 14:26:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bcodding 2011-12-07 15:00:38 UTC 
We run an NFS4 server cluster that uses HA and virtual IP addresses.  Because of this, we run the NFS4 rpc.svcgssd process with the '-n' flag, which causes rpc.svcgssd to defer credential creation for a context until the context is needed.

When run this way, it exposes a kerberos bug that leaks rcache opens in gss_accept_context by opening a new file handle for each client context created.  Eventually, rpc.svcgssd runs up agains ulimit and must be restarted.

Here is some discussion of the problem:

http://marc.info/?t=131068390400045&r=1&w=2

The fix should be included in 1.9.2:

http://src.mit.edu/fisheye/changelog/krb5?cs=24917

We are running into this bug in krb5-workstation-1.9-22.el6_2.1.x86_64.
Comment 2 Nalin Dahyabhai 2012-01-30 22:46:21 UTC 
Patch merged for krb5-1.9-25.el6 and later.
Comment 5 Dmitri Pal 2012-05-13 18:44:28 UTC 
*** Bug 812014 has been marked as a duplicate of this bug. ***
Comment 6 Lukas Hejtmanek 2012-06-18 17:20:10 UTC 
Is the patched version available for RHEL 6.2?
Comment 7 Niels de Vos 2012-06-19 08:08:10 UTC 
(In reply to comment #6)
> Is the patched version available for RHEL 6.2?

No, but if your use-case has an urgent enough business justification, you can:

1. contact Red Hat Global Support Services (https://access.redhat.com/support/cases/new)
2. provide them the data they need to verify that you hit this bug
3. describe the urgency and business justification
4. request an errata for RHEL-6.2

Currently, this bug is scheduled to be fixed with RHEL-6.3.
Comment 8 errata-xmlrpc 2012-06-20 14:26:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0921.html