Bug 1588596 - many adcli-krb5-????? directories are created /tmp
Summary: many adcli-krb5-????? directories are created /tmp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: adcli
Version: 7.6
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: ipa-qe
URL:
Whiteboard:
: 1698063 (view as bug list)
Depends On:
Blocks: 1647919
TreeView+ depends on / blocked
 
Reported: 2018-06-07 15:09 UTC by Avigdor Finkelstein
Modified: 2019-08-06 13:11 UTC (History)
7 users (show)

Fixed In Version: adcli-0.8.1-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:11:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:2256 0 None None None 2019-08-06 13:11:10 UTC

Description Avigdor Finkelstein 2018-06-07 15:09:10 UTC
Description of problem:
Every 5 minutes a small tree is created in /tmp like that:
/tmp/adcli-krb5-xxxxx
`- krb5.d 
   `- adcli-krb5-conf-XXXXX

The file is a partial duplication of /etc/krb5.conf
The file are gathered and I discovered them when there were about 5000 trees like that on each server. Now I clean them weekly, with a cron job.
Yet, this is still a bug that need to be solved.

Version-Release number of selected component (if applicable):
Main release are RHEL 7.3 and 7.4
adcli-0.8.* and
sssd-1.14 or
sssd-1.15 or
sssd-1.16

How reproducible:
I only guess that the problem lies with AD records that include Hebrew ISO codes combines with double-quote (") that follow a back-slash (\), for example
from sssd logs:
(Mon Mar 26 12:25:25 2018) [sssd[be[default]]] [ad_enum_cross_dom_members]
(0x0080): Failed to add [CN=אגף/פיתוח/מחלקה/קבוצה
ארה\"ב,OU=Groups,OU=Site,OU=Company,DC=com]: Input/output error 
Note: The Hebrew string  is reversed by the mailer editor, but
I guess that would help only to whom may able to recognize the letters.

And a second example:
Date Time [sssd[be[default]]]  [ad_enum_cross_dom_numbers] (0x0080): Failed
to add [CN=ב\"כג/דכ\"ד/קקר,OU=כע\"י/רח\"ג/עיחעגד חיכגח//חיחי 456,OU=ANOTHER
OU,OU=YET MORE,DC=realm]: Input/outoput error
Date Time [sssd[be[default]]] [ldb] (0X4000): Added timed event
"ltdb_callback": 0x55b66975178b0

Steps to Reproduce:
1. Again, I only guess that creating users with CN and OU that include strings like described above, will create the problem that leave the small tree of files in /tmp every 5 minutes.
2.
3.

Actual results:


Expected results:


Additional info:
There are cases that I created with a local analyst in Israel and with RED HAT support, but since I didn't get reasonable response, I hope that a record in Bugzilla will expedite the solution.

Comment 2 Sumit Bose 2018-06-07 17:32:02 UTC
Hi,

If adding 'ad_maximum_machine_account_password_age = 0' to the [domain/...] section of sssd.conf does not help please add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD, let it run for e.g. 15min and attach the /var/log/sssd/sssd_your.domain.name.log to this ticket.

bye,
Sumit

Comment 8 Manu Augustine 2018-07-12 13:39:51 UTC
Customer confirmed test packed worked for him. No more krb temp files.

Thanks Sumit.

Comment 9 Sumit Bose 2018-12-07 13:10:27 UTC
To reproduce I would remove the 'NAME$@AD.REALM' entry from the keytab
and call 'adcli update'. Without the fix there should be a
/tmp/adcli-krb5-xxxxx left in /tmp/. With the fix there should be no
such directory.

Comment 11 Avigdor Finkelstein 2019-03-17 07:02:42 UTC
I'm sorry to inform that the fix above was applied and did not solve the problem. Those small file trees continue to accumulate in /tmp, one every 5 minutes. The problem appeared first on RHEL 7.3, continued on 7.4, solved on 7.5 and sadly appear again on RHEL 7.6.
The temporary solution is to remove the adcli rpm of 7.6 and reapply the 7.5 rpm.
Please open the problem again.

Comment 12 Avigdor Finkelstein 2019-03-17 07:06:33 UTC
The description above related to Hebrew letters, was a wrong guess. 
Actually the problem is caused by the Lower case user principal versus an Upper case one. Windows is case insensitive, yet Linux and MIT are case sensitive.

Comment 15 Sumit Bose 2019-04-09 16:26:44 UTC
*** Bug 1698063 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2019-08-06 13:11:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2256


Note You need to log in before you can comment on or make changes to this bug.