RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1179820 - Kerberos KDC connection limit too low
Summary: Kerberos KDC connection limit too low
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5
Version: 6.8
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-07 15:39 UTC by Andrew Dingman
Modified: 2015-10-07 17:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-07 17:25:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Andrew Dingman 2015-01-07 15:39:27 UTC 
Description of problem:

The Kerberos KDC has a low, hard-coded limit on concurrent tcp connections. This results in large numbers of INFO level log entries about dropped connections when many clients are trying to contact the KDC. It could lead to additional problems with more clients.

My current scenario is not one that should be followed in real life, but similar situations could occur with larger numbers of clients that are not misconfigured. I anticipate regularly having many hundreds, potentially thousands, of connected clients booting nearly simultaneously within the year.

Version-Release number of selected component (if applicable):

krb5-server-1.10.3-33.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure 62 clients to use a KDC
2. Prevent replies from the KDC from reaching the clients
3. observe KDC logs as clients attempt to contact KDC

Actual results:

Logs fill up with dropped connection messages.

Expected results:

affected clients fail to authenticate, but do not exhaust all available open connections before they time out.

Additional info:
Comment 2 Roland Mainz 2015-01-16 20:44:01 UTC 
(In reply to Andrew Dingman from comment #0)
> Description of problem:
> 
> The Kerberos KDC has a low, hard-coded limit on concurrent tcp connections.

Which limit do you mean ?
Comment 3 Roland Mainz 2015-01-16 20:58:46 UTC 
AFAIK we have the following default limits:
- 1 process (by default)
- max. 45 connections as defined via |max_tcp_or_rpc_data_connections| in ./krb5/src/lib/apputils/net-server.c (per process ?)
- 1024 sockets/files max. as defined via Linux default resource limit for file descriptors (see $ ulimit -n #)
- [optionally] a fd limit imposed when |select()| is used, see |FD_SETSIZE|
Comment 4 Roland Mainz 2015-01-16 21:07:33 UTC 
The 45 connection limits defined per |max_tcp_or_rpc_data_connections| in ./krb5/src/lib/apputils/net-server.c may be (theory) a result of the old 64 fd resource limit for user processes in SystemV+BSD4.3 (which still exists in modern Solaris/Illumos and maybe *BSD, too) ... maybe 45 was picked so there are at least 19 fds available for other purposes like config files and plugins.

AFAIK a possible fix may be to query the resource limit for file descriptors ($ ulimit -n #) and then do a |MAX(result/2, 45)| ... but that is likely a question for the upstream Kerberos5 list (and we need conformation that it's really this 45 connection limit which is bothering you...) ...
Comment 5 Dmitri Pal 2015-01-16 23:58:25 UTC 
I think this is an invalid test case.
Blocking replies makes clients think that the connection is broken and they will start reconnecting again after a timeout which is in fact hard coded.
But the test claims that this is the server that it fault. This seems to be wrong. It is the client that is at fault but so fat this is by design and has nothing to do with the scalability of the server..
Comment 6 Andrew Dingman 2015-01-18 20:39:34 UTC 
I only just realized that comment 3 was not a reply to comment 2. Yes, the 45 connection limit in net-server.c is the one I was referring to. Neither ulimits nor file handle limits were coming into play. I was expecting to need to tweak those, but found this instead.

I agree that the test case is not something that should ever happen. Our cloud provider thoughtlessly applied a firewall rule that more or less turned all outbound Kerberos traffic into half-open attacks. It is just the first thing that happened in my infrastructure to bring the limit to my attention.
Comment 9 Robbie Harwood 2015-10-07 17:25:10 UTC 
This sounds like a misconfiguration.  Additionally, if there's an actual problem with a new use case here, it would be better suited for RHEL7, not RHEL6.
Note You need to log in before you can comment on or make changes to this bug.