Bug 951564
| Summary: | Document the lastlog file format limitation | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Mraz <tmraz> |
| Component: | shadow-utils | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | amurdaca, bberg, bnocera, bsingh, dwalsh, ebenes, edray, erapatchnotifications, erinn.looneytriggs, jhrozek, kdudka, ladislav.furman, mmalik, mvermaes, nelaaro, pablo.iranzo, patsev.anton, peter, pvrabec, rhack, rrajaram, rrauenza, ssorce, tmraz, yaplej |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | sync-to-jira review | ||
| Fixed In Version: | shadow-utils-4.8.1-8.fc34 shadow-utils-4.8.1-6.fc33 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 771286 | Environment: | |
| Last Closed: | 2021-04-24 19:45:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 827429 | ||
|
Description
Tomas Mraz
2013-04-12 13:38:11 UTC
When using the pam_tally2.so module I am seeing the same result for the tallylog. Would this be related? We bound to an Active Directory using beyondtrust's PowerBroker Identity Services (http://www.beyondtrust.com/Home/FreeTrials/#tab2), previously likewise. The domain accounts have UIDs in the hundred millions, up to trillions. As soon as they are recognized lastlog and tallylog explode up to 100+ GB. I'm sure the same result would be found if we went through the manually steps to bind to the AD, but i can't test that right now. But the pattern is the same. # ls -hl /var/log/lastlog ... ... 528G ... /var/log/lastlog # du -h /var/log/lastlog 32K /var/log/lastlog # ls -hl /var/log/tallylog ... ... 116G ... /var/log/tallylog # du -h /var/log/tallylog 12K /var/log/tallylog You have to use pam_faillock.so module instead of pam_tally2.so. This is a very old issue and is now causing havoc with docker. Is anyone looking at this issue? Currently nobody. Also please understand that it can be changed in the next major RHEL release at the earliest. We cannot change it in RHEL6 and 7. Sure although we potentially could do something in containers rather then in full userspace. But if we don't do something soon, this will not get fixes in RHEL8. This lastlog file is causing me tremendous grief cause the / partition to appear full so yum wont run or all sorts of other issues. Only solution is to check the file, delete it and reboot. That pretty much sucks. Just wanted to call attention to this bug again. Also, affect our systems. Getting disusage alerts/root full alerts for a 43G lastlog file. Using IPA, with uids like '100 000 000' Having the same issue on our servers, also using IPA. Same issue occurs hen using Centrify DC suite with enabled generating UIDs off of AD SID. This is a really frustrating issue. Reported back in 2012 and still not fixed. There is not even a fix/workaround to prevent this one file from causing all sorts of problems with monitoring tools and almost anything that checks disk space. How about image based backup utilities and docker images seem to be struggling with this also. http://www.noah.org/wiki/Lastlog_is_gigantic ls -lh /var/log/lastlog -rw-r--r--. 1 root root 441G Oct 26 05:03 /var/log/lastlog Joining RH systems to an AD domain should be common enough for this to get fixed. Hello. There is freezed proof of concept called liblastlog2: https://github.com/marmolak/liblastlog2 Yeah it needs some polish after years. However I'm not sure how upstreams will be opened to adopt this approach. You need to propose changes at least to: openssh (portable) gnome/kde pamd systemd ... and almost any other project which uses old lastlog operations. I have had experimerimantal patches with support for openssh but not proposed. Having the same issue on our servers ls -lh /var/log/lastlog -rw-r--r--. 1 root root 494G Jul 23 11:53 /var/log/lastlog The fprintd PAM module, which authenticates users through fingerprint readers, would like to be able to know when the last time a particular user logged in using a certain type of authentication. Eg. we'd like to force the user to enter their password when the machine has been rebooted or when they haven't used that password in X hours, but for that we'd need the authentication methods to be recorded, and have a way of accessing that information programmatically. FEDORA-2021-45b039fc92 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-45b039fc92 FEDORA-2021-45b039fc92 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-45b039fc92` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-45b039fc92 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-45b039fc92 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-45b039fc92 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-6761b1adac has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-6761b1adac FEDORA-2021-6761b1adac has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-6761b1adac` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-6761b1adac See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-6761b1adac has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-6761b1adac has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |